Security checks must be introduced early and repeated during every sprint with an automated solution to determine the open-source components’ safety and legal compliance.
Open-source software is in all software development, and we’ll see even more growth continue in 2022. Every industry vertical uses and develops open-source software, and all businesses are considered software companies. As a result of the pandemic, more businesses offer their products and services online or through apps. The increase in open source adoption and expansion will facilitate comprehensive security awareness.
The Apache log4j vulnerability, regulatory requirements, and recent scrutiny have enlightened more CEOs and IT executives about the extent to which open source is being used in their organizations, resulting in a positive impact on security budgets. Using a solution that can scan during build time for vulnerabilities and licensing infractions in open source software will increase as awareness of the thousands of open source libraries used in all software development increases.
Components and libraries that are open-source are becoming more prevalent. Many of the open-source components and libraries used by MEAN/MERN stack applications have known vulnerabilities. Each application typically has 30 or more vulnerable components.
Licensing for a substantial percentage of open-source libraries or components is either copy-left or dual-licensing, restricting their usage in closed-source applications.
Open-source licenses and their usage restrictions are often unknown to developers, which is a serious legal risk.
In 2022, we’ll continue to see organizational requirements for a holistic and comprehensive (SCA) Software Composition Analysis solution. Threatrix addresses these vital compliance and control needs by introducing open source compliance checks into the application/product development lifecycle. These checks must be introduced early on and repeated during every sprint. The most effective approach is to use an automated solution to determine the open-source components’ safety and legal compliance.
Companies can create corporate-wide policies surrounding open-source software to report its use across divisions, teams, or projects and gate builds from entering production if they violate corporate policy.
Software Supply Chain Attacks
Supply chain attacks are famous among threat actors because there is a high ROI. Threat actors can also infiltrate customers by infiltrating a product or service used by numerous companies.
Software supply chain attacks occur when threat actors inject malicious code into third-party software to gain access via an unpatched open source vulnerability which increased by 650% in 2021, equating to three out of five companies. Thanks to awareness and tooling, in 2022, we’ll see an improvement in prevention.
Online repositories are typically where open source software packages are stored. Several packages are widely used in many applications, making them a practical and scalable malware distribution mechanism.
The Three Forms of Software Supply Chain Attacks
The two most common forms are dependency confusion and typosquatting. Both rely on open source code within applications to be automatically downloaded by software development tools known as dependency managers.
Attackers create a compromised package with the same version number as a later version. It is then automatically implemented as part of a dependency confusion attack. In typosquatting attacks or URL hijacking, the attacker creates a package whose name has a different character from the name of a popular package, hoping that developers will mistype the package name. These attacks were the most common in 2021.
The third form is malicious code injection, which involves an attacker exploiting an input validation flaw in open source software to inject malicious code into the open source software package affecting anyone who runs it. The application interprets this injected code and changes how the program is executed.
SBOM: Essential to Securing the Software Supply Chain.
Security begins with awareness. Step one in protecting your organization from open source vulnerabilities is receiving a comprehensive list of components or (SBOM) software bill of materials and then using that list to upgrade to the latest secure version before releasing the deliverable. Threatrix believes that a software bill of materials is a must-have for all organizations requiring the first line of defense against attackers.
Step two: use a comprehensive detection solution that continuously monitors developers’ open-source code before projects get deployed. This critical step in the process may potentially save companies tens of millions. The FTC has stated the Equifax exposure of consumer credit information, where the credit bureau company agreed to pay “$700 million” after disclosing 147 million records in 2019. That settlement was deemed the largest of its kind at the time, per a 2019 Reuters story.
Of course, we won’t have a precise cost analysis for organizations from the log4j vulnerability for some time. Attackers have most likely already breached companies, gained access to their networks and credentials, and will use them to carry out attacks in months or even years.
Criteria for Choosing an SCA Solution
Features: The ability to scan all six locations where developers use open source should be the first box checked. Tools that only look in dependency managers or package managers will miss up to 60% of the open source, exposing organizations to vulnerabilities and licensing infractions.
Accurate solutions provide deep detection that scans dependency and package managers, downloaded files installed in projects, forked projects, static references, and embedded open source (snippets).
Components with known vulnerabilities, legal license compliance checks, and obsolete component information should be the minimum a security tool provides. Each organization should also understand additional features such as code quality metrics, technical debt calculation, cloud readiness checks, integration with CI/ CD, and break-fix recommendations.
Accuracy of the results: All automated tool results contain false positives, meaning the tool reported an issue, but it is not a valid issue. A solution with low false-positive rates reduces the overall effort spent in corrections through a manual process. Time equals money.
Fix Recommendations: Automated fix recommendations and guidelines will speed up the process of providing workarounds and fixing issues. When fix recommendations are not helpful or practical, developers will spend extra time understanding and fixing the problems manually.
Supported Technologies: Some tools support less than 22 languages. Threatrix supports major technologies and 400+ programming languages.
Scanning Time: Slow scan times hinder engineers’ completion of their projects. Choosing a tool with shorter scan times can help expedite the CI/CD pipeline time allowing developers to complete their tasks on time. Threatrix provides results during build-time in seconds.
Effort and time required: Some tools take longer and require more effort to deploy and gain results. Threatrix’s entire process takes less than 15 minutes. Security teams can save time and effort by employing simpler deployment models.
Benefits
- By introducing safety and compliance checks early, open-source developers can significantly reduce development time and effort.
- Open source issues are identified early in development for more efficient and less costly remediation efforts.
- Creates immediate transparency to compliance, legal, and security personnel to identify where open source has been included within organizational development projects and identifies organizational risks introduced by developer use of open source components.
- A Company’s security posture significantly improves for applications/products. As part of the deployment, compliance reports will facilitate clearance from internal/client information security teams.
- Addressing components with copyleft licenses or commercial licenses improves legal compliance, reduces risks associated with inappropriate licensing, causing closed source software to become open source, and satisfies M&A requirements and Investor scrutiny.
- Can even identify new findings in production without scanning the running production environment – and thus allow for detection and remediation activities without introducing the added risk of running a dynamic scan in production.
- Obsolete components can be upgraded to reduce technical debt.
- With automated scanning, results are available almost immediately and require little to no manual intervention resulting in less impact on delivery schedules.
Threatrix provides policy/procedure templates with embedded leading practices that may be customized for internal use to help codify and integrate Threatrix for maximum organizational benefit.
In 2022 CISOs and DevSecOps leaders will continue tirelessly contributing to a concerted response to open source security and licensing challenges, and Threatrix looks forward to continuing to support their efforts.