Open source software is very popular and makes up a significant portion of business applications. According to Synopsys, 99% of commercial databases contain at least one open source component, and nearly 75% of these codebases contain open source security vulnerabilities.
开源软件非常流行，并且构成业务应用程序的重要组成部分。 据Synopsys称 ，99％的商业数据库至少包含一个开源组件，而这些代码库中有将近75％包含开源安全漏洞。
One of the major reasons why companies and developers choose to work with open source software is that it saves them from having to develop these base capabilities themselves.
Oh, and open source software is free!
Despite its advantages, open source software tends to have vulnerabilities that might impact your data and organization. In order to give you an overview of how open source security risks can impact your business, we have listed the top three open source security risks and ways to address them.
Before we dive into the article, let’s take a look at what exactly open source vulnerabilities are.
什么是开源漏洞？ (What Are Open Source Vulnerabilities?)
Open source vulnerabilities are basically security risks in open source software. These are weak or vulnerable code that allows attackers to conduct malicious attacks or perform unintended actions that are not authorized.
In some cases, open source vulnerabilities can lead to cyberattacks like denial of service (DoS). It can also cause major breaches during which an attacker might get unauthorized access to sensitive information of an organization.
There are a lot of security concerns when it comes to open source software. For instance, OpenSSL is an encryption library responsible for managing highly sensitive data transmission functions by a wide variety of internet-connected software including the software that runs some of the most popular email, messaging, and web services.
You remember “Heartbleed”? Yes, that caused quite a stir! Yes, that was a critical open source vulnerability in a SSH library.
您还记得“ Heartbleed”吗？ 是的，这引起了很大的轰动！ 是的，这是SSH库中的一个严重的开源漏洞。
Similarly, another popular open source vulnerability was found in 2014 in Bash shell, the default command processor on many Linux distributions. It had an arbitrary command execution vulnerability that could be exploited remotely via server-side CGI scripts on web servers, and other mechanisms. This open source vulnerability is popularly known as “Shellshock.”
同样，2014年在Bash shell中发现了另一个流行的开源漏洞，Bash shell是许多Linux发行版中的默认命令处理器。 它具有任意命令执行漏洞，可以通过Web服务器上的服务器端CGI脚本和其他机制来远程利用该漏洞。 这个开源漏洞通常被称为“ Shellshock”。
前三大开源安全风险是什么？ (What are the Top 3 Open Source Security Risks?)
Now that you have a fair idea about what open source security risks are, let’s explore the top three open source security risks that exist today and how you can mitigate these risks.
软件安全风险 (Software Security Risks)
Open source vulnerabilities, once discovered, can be a tempting target for attackers to exploit them.
Typically, these open source vulnerabilities and the details about how to carry out the exploit are made publicly available. This enables hackers to gain all the necessary information they need to carry out an attack. Combine this with the widespread use of open source software, and you can imagine the havoc it creates when an open source vulnerability is found.
通常，这些开源漏洞以及有关如何利用此漏洞的详细信息是公开提供的。 这使黑客能够获取进行攻击所需的所有必要信息。 将其与开源软件的广泛使用相结合，您可以想象发现开源漏洞时会造成的破坏。
One of the major challenges organizations face while addressing open source vulnerabilities is that tracking them and their fixes aren’t as easy as one might assume.
Since these open source vulnerabilities are published across a wide variety of platforms, it becomes difficult to track them. Also, locating the updated version, patch, or fix to address the security risk is a time-consuming and expensive process.
Once an open source vulnerability and its path of exploitation are published, it’s just a matter of time until attackers exploit them and hack into your organization. It is imperative that businesses integrate necessary tools and processes to quickly address open source vulnerabilities.
漏洞宣传 (Publicity of Exploits)
Open source vulnerabilities are made publicly available on platforms like the National Vulnerability Database (NVD), which is accessible by anyone.
A famous example of attacks due to publicly available open source vulnerabilities was the major Equifax breach in 2017 where the credit reporting company had leaked personal information of 143 million people. This attack took place because Equifax was using a version of the open source Apache Struts framework that had high-risk vulnerabilities, and attackers used that vulnerability to their advantage.
由公开可用的开放源代码漏洞引起的攻击的一个著名示例是2017年的重大Equifax漏洞 ，其中信用报告公司泄露了1.43亿人的个人信息。 发生此攻击的原因是Equifax使用了具有高风险漏洞的开源Apache Struts框架版本，攻击者利用该漏洞来发挥自己的优势。
Such attacks on open source software not only cause data leakage or loss but also impact a company’s market reputation, valuation, and customer relationships. This, in turn, can impact your customer churn rate, retention rate, sales, and revenue. Dealing with the impact of a breach caused due to open source vulnerabilities can be a lengthy, and painful process.
对开源软件的此类攻击不仅会导致数据泄漏或丢失，而且还会影响公司的市场声誉，估值和客户关系。 反过来，这可能会影响客户流失率，保留率，销售和收入。 处理由于开放源代码漏洞而造成的违规影响可能是一个漫长而痛苦的过程。
许可合规风险 (Licensing Compliance Risks)
Open source software comes with a license that allows the source code to be used, modified, or shared under defined guidelines. However, the problem with these licenses is that most of them don’t meet the stringent OSI and SPDX definitions of open source.
In addition to that, single proprietary applications often include several open source components, and these projects are released under various license types, such as GPL, Apache License, or MIT License.
Organizations are required to comply with each individual open source license, which can be quite overwhelming. Especially with the rapid development and release cycle businesses follow along with the fact that there are nearly 200+ open source license types that exist today.
A study of 1,253 applications found that about 67% of codebases had license conflicts and 33% of codebases had unlicensed software. Non-compliance with licenses can put enterprises at the risk of legal action, impacting your operations, and financial security.
您如何克服这些开源安全风险？ (How Can You Beat These Open Source Security Risks?)
Next, let’s take a closer look at the solutions to these open source security risks.
建立安全第一文化 (Build a Security-First Culture)
Too often, developers choose to work with open source components based on the functionality and programming language they need. While functionality is important, other criteria should also be included.
For instance, each individual component of a project may offer functionality, without the need to integrate the entire project codebase. This helps limit the number of open source software and helps simplify integration, remove security risks, and reduce source code complexity as well in non-required components.
Open source software is just as likely to have security risks as any other software, so it’s necessary that each component you choose to work with offers functionality and is secure.
In addition to this, open source projects are usually focused on delivering new updates with new features for end users. Due to time and budget constraints, enterprises pay less attention to security and are more inclined to release the update as quickly as possible.
However, companies should maintain a balance between the new releases while ensuring that the design, implementation, and code is secure.
One of the most important things you can do is to inventory what open source software you use and track vulnerabilities that are associated with these libraries.
拥抱自动化和扫描开源软件中的漏洞 (Embrace Automation and Scanning for Vulnerabilities in Open Source Software)
Finding and fixing vulnerabilities in open source software is a big challenge in itself. Companies need to find a way to detect all security vulnerabilities in the open source code in their environments, update the list regularly, drive developers away from old, insecure software components, and finally deploy patches whenever security vulnerabilities are found.
One way to help combat this is to incorporate automated tools that help you continuously track your open source usage and identify security weaknesses, vulnerabilities, fixes, and updates.
Automation tools for open source software help identify which packages are being used in which projects, what security vulnerabilities they contain, and how they can be fixed. These tools often come with alerting features as well. If a vulnerability is discovered, notifications are sent to the concerned development and security team to alert them about the newly found security risks.
开源软件的自动化工具可帮助识别哪些包在哪些项目中使用，它们包含哪些安全漏洞以及如何修复它们。 这些工具通常还具有警报功能。 如果发现漏洞，则会将通知发送到相关的开发和安全团队，以警告他们有关新发现的安全风险。
Integrating automation to scan security vulnerabilities in open source software is especially important for large organizations, since it can be difficult to track and identify vulnerabilities in all of their source code that is in use.
Most enterprises are not even aware of their full inventory of applications they have, which makes them more vulnerable to cyberattacks due to unidentified vulnerabilities in the source code. A report says nearly 88% of the codebases have open source components with no development activity at all in the last two years.
交叉训练您的员工 (Cross-Train Your Staff)
It’s not always easy or even possible to hire professionals who are experts in both development and security. It is, however, possible to train your teams so that they can approach the issues from both ends. While it isn’t always easy to hold regular cybersecurity awareness training for different teams, it’s critical for the overall security of your projects.
聘请在开发和安全方面都是专家的专业人员并非总是容易的，甚至不可能。 但是，可以对您的团队进行培训，以便他们可以从两端解决问题。 为不同的团队定期进行网络安全意识培训并不总是那么容易，但这对项目的整体安全至关重要。
Enterprises should ensure that their developers have a general understanding of cybersecurity, as well as the latest trends and updates. Your developers should be able to identify common security issues that arise in open source code, if not fix them.
Similarly, the security team should be involved in the development process from the early stages. Rather than making security an after-thought, it should be a priority from the very beginning of a project.
Just as you analyze and track your development process, you should proactively monitor your security efforts as well. Taking a proactive approach can go a long way in being prepared to handle open source security risks.
最后的想法 (Final Thoughts)
Open source is an excellent model that can be found in many of today’s projects. However, to ensure secure open source code, you need to acknowledge the security risks that come with open source software. You have to make sure that each of your open source components is delivering value to the project and are secure.
开源是一个很好的模型，可以在当今的许多项目中找到。 但是，为了确保安全的开源代码，您需要确认开源软件附带的安全风险。 您必须确保每个开源组件都在为项目交付价值并且是安全的。
Cypress Data Defense helps companies run security audits and strengthen the overall security of their projects by recommending the best security practices.
赛普拉斯数据防御(Cypress Data Defense)通过推荐最佳安全实践，帮助公司进行安全审核并增强项目的整体安全性。
We help enterprises create a roadmap for releasing secure updates and provide open source support, scanning, monitoring, and provide solutions to safely and effectively leverage open source software. With Cypress Data Defense, organizations can gain necessary control over their open source components to mitigate open source security risks while increasing their cost savings.