Enjoy the benefits and minimize the risks of open source

Open source software – code freely available for anyone to inspect, modify, improve and reuse – is everywhere.

It’s easy to see why open source is so popular. Relying on flexible, modular code that thousands of independent programmers have tested, debugged, and refined gives developers a significant head start, enabling the rapid and cost-effective production of reliable, high-quality software. Version control systems help manage open source code files, while public repositories like GitHub store code libraries to provide easy access. Common open source tools include Linux, Apache, and Java.

The ubiquity of open source

Open source code is the foundation on which most companies build their proprietary code and applications. Developers see little reason to reinvent software when code that handles only the functions they need is freely available on GitHub. In fact, open source is so widely used that it’s almost impossible to find solutions without it. In a recent analysis, Synopis looked at anonymous audits of 1,546 codebases across 17 different industries and found that a whopping 98% contained open source code, which made up 75% of all codebases.

The risks of open source code

In addition to convenience and increased productivity, open source comes with some risks.

The audited codebases had an average of 158 vulnerabilities. 84% of codebases had at least one vulnerability in their open source code, up from 75% a year earlier. 60% had “high risk” vulnerabilities, meaning vulnerabilities that have been exploited in the past, have documented “proof of concept”, or are classified as remote code execution vulnerabilities.

The dynamic nature of open-source code brings a lot of uncertainty and risk. Any change made by a developer, or any new branch, can introduce a new vulnerability into a previously vulnerability-free open source library. It is therefore essential for developers to stay up to date with the latest information available for the libraries they use.

The log4j vulnerability (CVE-2021-44228), which emerged in December 2020, is the starkest example of the risks of open-source code – “the most severe vulnerability I’ve seen in my decades-long career” , according to Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency.

Log4j is a logging routine that is part of the Apache logging code, which is written in Java. The vulnerability allows hackers to take control of any server running it simply by posting malicious code to the log. The code is so commonly used that billions of devices are exposed.

More recently, over 1300 malicious packages have been identified in npm, a Javascript repository of building blocks for web applications whose packages are downloaded over 20 billion times each week. Use of these code blocks may expose app users to cryptojacking, botnets, and theft of credentials and other data. Although the malicious packages were removed after being identified, they may have already been included in countless applications.

High profile cases such as log4j and npm packages get a lot of attention, but there are many vulnerabilities in less commonly used pieces of code that are also potentially dangerous. And since companies may not even keep track of all the open source code used in their software, it’s hard for them to stay on top of vulnerabilities once they’re discovered.

Protection against open source vulnerabilities

Given the vast libraries of open source code available, vulnerabilities can be found anywhere and take any form. No single technique or security solution can protect against all potential exploits.

The best chance of staying protected is therefore to take advantage of a comprehensive Zero Trust-based solution, such as Ericom’s ZTEdge platform, which integrates a range of tools that together protect against all cyber threats, including including zero-day exploits, regardless of location. .

ZTEdge Web Security protects users from malicious code blocks like those in infected npm packages by leveraging Remote Browser Isolation (RBI) to keep all code from the web off users’ devices and networks. When users click on a link or enter a URL in their browser, the site actually opens in a virtual browser, located in a remote cloud-based container. Only secure render data reaches the endpoint, where the user interacts with it as always, through their regular browser. Once the user stops interacting with the site, the container is destroyed along with any malicious content.

To address vulnerabilities such as log4j, ZTEdge includes Intrusion Protection System (IPS) features that monitor traffic flows for suspicious behavior. Even before the log4j vulnerability became known, IPS reportedly spotted suspicious behavior related to an attempted exploit, such as a hacker looking for log4j, or trying to execute a malicious Java string, or moving laterally inside the an organization’s server to search for applications using log4j. .

Once suspicious behavior is detected, ZTEdge stops the exploit and issues an alert containing details of the attempted attack.

ZTEdge is continually updated with the latest attack pattern information; an update to the log4j vulnerability was released a few hours after the exploit was published. Because ZTEdge is cloud-based, updates take effect immediately, with no action required from the customer.

The ZTEdge platform provides a host of additional protections, including secure remote access to user desktops and SaaS applications. Zero Trust Network Access, combined with built-in identity and access management, enforces least-privilege access to minimize potential damage should a malicious agent manage to enter the network.

Conclusion

Open source code is an integral part of virtually every company’s IT infrastructure. Avoiding all use of open source is simply not an option today; it’s too integrated into the core architecture of modern networks, and the productivity benefits when developing new applications are impossible to ignore.

It is, however, possible for companies to protect themselves from the inherent risks of using open source code by keeping track of the code they use and patching vulnerabilities as they become public, and by implement a comprehensive Zero Trust security solution such as ZTEdge.

The post Reaping the Benefits and Minimizing the Risks of Open Source appeared first on Ericom’s blog.

*** This is a syndicated blog from Ericom Blog’s Security Bloggers Network written by JOHN PETERSON. Read the original post at: https://blog.ericom.com/enjoying-the-benefits-and-minimizing-the-risks-of-open-source/?utm_source=rss&utm_medium=rss&utm_campaign=enjoying-the-benefits-and -minimizing-the-risks-of-open-source

Comments are closed.