Skip to main content

Open Source Software Security Risks and Best Practices

Enterprises are leveraging a variety of open source products including operating systems, code libraries, software, and applications for a range of business use cases. While using open source comes with cost, flexibility, and speed advantages, it can also pose some unique security challenges. Given that open source components may be present in up to 96% of commercial applications, how can you be sure that your software is secure?

We asked two members of the Cloud Academy Content Team— Logan Rakai, our DevOps specialist and Stuart Scott, our specialist in all things security—to share their tips for helping keep your open source components secure.

What makes open source components so vulnerable to security risks?

The short release cycles of some open source projects can be difficult to keep up with. On the plus side, new features and patches get deployed sooner rather than later. However, auditing every release can be someone’s full-time job, and by the time you’ve managed all the issues in one release, another one is ready. Flavor-of-the-week open source frameworks are a security nightmare and while having an automated system to scan for the latest updates will help, it’s not a failsafe that can identify all of the issues.

With such a wide base of users to test the software, spot potential bugs, and security flaws, open source software (OSS) is often considered more secure. However, when it comes to catching and fixing security issues, simply having more eyes on the problem isn’t enough. Security problems require security expertise and not all developers are security experts. They may know enough to try and implement certain fixes, but this can create a false sense of risk mitigation. More advanced topics like cryptography, for example, further narrow the field for those who can review code for such security flaws.

Dependencies in open source projects allow some vulnerabilities to fly under the radar. Projects that include unknown third-party libraries pulled from package managers may be passing on vulnerabilities that aren’t easily visible. Many developers pin version ranges to ensure future patches are available. However, a dependency that is several projects removed may be more difficult to notice in the first place, and is more likely to be an attack vector that can be exploited.

What can developers and DevOps teams do to better secure open source components?

Treat everything as code, including compliance. Doing so will help ensure that known regulations including those for the payment card industry (PCI) or healthcare (HIPAA) information privacy are followed. This will also make it easier to ensure that patches are universally applied.

Embrace automation. Staying up to date on vulnerabilities logged in online sources such as the National Vulnerability Database or postings on project home pages is necessary, but also time consuming. Put some frontline tools in place to help catch the obvious things (there are some great commercial and open source Dynamic Application Security Testing (DAST) solutions available) and employ monitoring tools to keep up with what’s happening in real time. Tools such as SumoLogic are great and serve as a modern alternative to a Security Information and Event Management (SIEM). At a minimum, static code analysis must be part of the CI/CD process, which provides automated, early detection of security issues to complement peer reviews.

Bring developers and security together. Enlist your security teams to train developers to drive thorough understanding of security and the latest trends. An initial secure coding workshop held in partnership with the security team is a great way to kick things off. Invite them to design reviews and include them in sessions when high-risk changes are being made.

Build a security-first culture. Your organization must focus on more than just bringing developers and security together, but also ensure that effective security practices are built into everything you do. The best fixes and the best alerting mechanisms in the world cannot resolve poor security practices. The Equifax breach for example, attributed to vulnerable versions of the open source software Adobe Struts, is a case in point. Since the well-publicized breach in 2017, companies are still downloading the vulnerable versions of the package despite the fact that a patch is available. (The patch was also available two months before the Equifax breach and has been issued multiple times since.) In DevOps culture, security discussions must happen early and often throughout the software development lifecycle and beyond. If you’re using open source components, it’s your responsibility to be aware of the updates and to actually apply them yourselves.

Fortunately there are tools to help you evaluate and provide confidence around the security of the open source software you are using in your applications. Two tools that provide enterprise-ready end-to-end solutions for managing open source risk are Black Duck and Sonatype Nexus. Note that these solutions are not overnight fixes and will take time to integrate.

There are also free tools for assessing the risks in open source software and containers. Many open source software packages utilize free static analysis scanners and the results are available for everyone to inspect.

Coverity Scan provides free deep scans of open source software that include the Common Weakness Enumeration (CWE/SANS) Top 25 vulnerabilities. Many projects trust Coverity Scan, including the Linux kernel and Apache projects such as Hadoop. You can find them on the project page.

If you aren’t comfortable with the risks identified, you might consider using alternate software or versions. Similarly, if you are using Docker containers in your DevOps practice, you can take advantage of Docker Security Scanning results of official images hosted by Docker and use the same technology to scan your own private repository images.

Written by

Related Posts

— December 12, 2018

Getting Started With Site Reliability Engineering

Much has been written and discussed about SRE (Site Reliability Engineering) from what it is, how to do it, and how it's the same (or different) as DevOps. Google coined the term, defined the profession, and wrote the book on it. Their "Site Reliability Engineering" book covers the idea...

Read more
  • DevOps
  • SRE
— December 6, 2018

What DevOps Means for Risk Management

What Does DevOps Mean for Risk Management?Adopting DevOps makes the unfamiliar uneasy in two areas. One, they see an inherently risky choice between speed and quality and second, they are concerned that the quick iterations of DevOps may break compliance rules or introduce security vu...

Read more
  • DevOps
— October 25, 2018

How DevOps Transforms Software Testing

Testing is arguably the most important aspect of software development. Whether manual or automated, testing ensures the software works as expected. Broken software causes production outages, unsatisfied customers, refunds, decreased trust, or even complete financial collapse. Testing mi...

Read more
  • DevOps
— August 8, 2018

From Monolith to Serverless – The Evolving Cloudscape of Compute

Containers can help fragment monoliths into logical, easier to use workloads. The AWS Summit New York was held on July 17 and Cloud Academy sponsored my trip to the event. As someone who covers enterprise cloud technologies and services, the recent Amazon Web Services event was an insig...

Read more
  • AWS
  • AWS Summits
  • Containers
  • DevOps
  • serverless
Albert Qian
— August 6, 2018

Four Tactics for Cultural Change in DevOps Adoption

Many organizations approach digital transformation and DevOps adoption with the belief that simply by selecting and using the right tools, they will achieve higher levels of automation and gain massive efficiencies as a result. While DevOps adoption does require new tools and processes,...

Read more
  • DevOps
— July 24, 2018

Get Started with HashiCorp Vault

Ongoing threats of data breaches and cyber attacks remain top of mind for every team responsible for securing cloud workloads and applications, especially with the challenge of managing secrets including passwords, tokens, API keys, certificates, and more. Complexity is especially notab...

Read more
  • DevOps
  • HashiCorp Vault
— June 5, 2018

What is Static Analysis Within CI/CD Pipelines?

Thanks to DevOps practices, enterprise IT is faster and more agile. Automation in the form of automated builds, tests, and releases plays a significant role in achieving those benefits and creates the foundation for Continuous Integration/Continuous Deployment (CI/CD) pipelines. However...

Read more
  • DevOps
— March 29, 2018

What is Chaos Engineering? Failure Becomes Reliability

In the IT world, failure is inevitable. A server might go down, an app may fail, etc. Does your team know what to do during a major outage? Do you know what instances may cause a larger systems failure? Chaos engineering, or chaos as a service, will help you fail responsibly.It almost...

Read more
  • Cloud Computing
  • DevOps
— December 7, 2017

10 Ingredients for DevOps Transformation with Mark Andersen

At Capital One, DevOps is about delivering high quality, working software, faster. This means software that is reliable, secure, usable, and performant while providing value and accomplishing those important end user goals. Everything is about speed of delivery and getting that feedback...

Read more
  • Cloud Migration
  • DevOps
— October 5, 2017

SQL Injection Lab: Think Like a Hacker

Security is IT’s top spending priority according to the 2017/2018 Computer Economics IT Spending & Staffing Benchmarks report*. Given the frequent changes and updates in vendor platforms, the pressure is on for IT teams who need to keep their infrastructures and data secure. As brea...

Read more
  • DevOps
  • Security
  • SQL injection
— September 15, 2017

Women in Tech: Zamira Jaupaj, DevOps Engineer

In building an enterprise culture of cloud, DevOps skills complement the enterprise’s need to automate development, testing, deployment, and operations processes for their public cloud deployments. In this latest post in our Women in Tech series, we’ll be talking to Zamira Jaupaj, a Dev...

Read more
  • DevOps
  • Women in Tech
— September 8, 2017

Mesosphere to Incorporate Kubernetes into DC/OS

The announcement that Mesosphere is going to incorporate Kubernetes into DC/OS has generated a fair amount of buzz in the industry, with the consensus landing largely on the side that this is a sign that Mesosphere is ceding to Google’s open source software. I have a different perspecti...

Read more
  • DevOps
  • Docker
  • Kubernetes