NEW TECH: WhiteSource leverages automation to mitigate lurking open-source vulnerabilities

By Byron V. Acohido

Just like the best sourdough bread derives from a “mother” yeast that gets divided, passed around, and used over and over, open-source software applications get fashioned from a  “mother” library of code created and passed around by developers.

Related: Equifax hack highlights open source attack vectors

In today’s world, quick innovations are a necessity, and software developers would rather not lose valuable time reinventing the wheel. Instead, they recycle open-source components when developing new code.

In turn, enterprises of all sizes are accelerating their use of free software that is tethered to their products and services. According to the Linux Foundation, as much as 80 percent of the code in current applications is open source, often buried deep.

But while vulnerabilities are inherent in most software, open source has more attack vectors. Because of its nonproprietary nature, open-source code can be studied, used and altered by anyone for any purpose—and that includes attackers.

Epic Equifax breach

In recent years, hackers weaponized Heartbleed and Shellshock, the two huge security bugs discovered in open-source internet protocols, compromising data confidentiality. Then in 2017, credit-reporting agency Equifax experienced an epic breach that exposed sensitive personal data, including the credit card and Social Security numbers, of some 144 million citizens.

The hackers leveraged a vulnerability in something called Apache Struts, an open-source application framework that supports the credit bureau’s web portal. It is widely used by developers of Fortune 100 companies to build web applications.

In Equifax’s case, hackers used the flaw to access and remove copies of files for over two months, between May 13 and July 30, 2017. When it seemed like the breach couldn’t get any worse for Equifax, the company also revealed that they knew about the vulnerability and tried to patch it in March 2017.

So while open-source software has a long list of advantages and is here to stay, what can be done to keep criminal exploitation at a minimum?

I talked about this with Azi Cohen, co-founder and NA general manager of WhiteSource, an open-source security and license compliance management  solution. WhiteSource helps companies protect and manage open-source software components through automation.

Read on for Cohen’s thoughts on this issue, and then listen to the accompanying podcast for a deeper drill down:

Aha! moment

WhiteSource came to its automated solution when its founders were in the process of selling an earlier company, Eurekify. As part of due diligence for the sale, they produced an open source inventory report that was rejected. They had to trace back their usage and detect all open source components in their software, including dependencies, manually which was a very time-consuming and costly process

It also was an aha! moment for Eurekify’s founders who realized they could help other companies by automating the tasks associated with open-source components, alleviating the painful process they had endured.

“The total number of open-source components used by companies is growing exponentially,” Cohen said. “In parallel, as projects are becoming more popular, more contributors working on the code,  detecting vulnerabilities and patching them.”

But fixes must be applied by the users of these open source projects. According to Cohen, “hackers know companies will patch fast, so they try to hit very fast as well,” attacking as soon as an open source vulnerability is published.

“The number of susceptibilities that companies have to deal with is growing, but the time to take care of them is shrinking,” he said. “So we automate the process.”

Attentive market

After Equifax and other prominent breaches, companies now are sitting up and paying more attention to open-source security, realizing it can be used as an attack vector.

“Enterprises realized that just looking at the legal aspect of using open source, which was what they thought should be important—the compliance side—is not as important as security,” Cohen said. They realized “they are very vulnerable and can be attacked.”

To that end, automation can do to a level what mere humans cannot—scaling up security, which allows for earlier detection and quicker fixes for susceptibilities in constantly morphing open-source code.

Cohen

WhiteSource’s open source management system automatically and continuously monitors your open source usage. When new open-source code is introduced, the system identifies it, parses its vulnerability and compliance issues, applies the company’s defined policies, and “either allows it in or not, or triggers an approval process,” Cohen said.

Whenever a new vulnerability is detected, the company is immediately alerted. As soon as a fix for the flaw is devised, the company then will get an alert to go ahead and patch it, significantly shrinking the time that criminals can exploit the vulnerability.

“Open source is a living thing,” Cohen said. “The community will keep on finding open-source vulnerabilities in existing companies. You may have introduced a new open-source component that was clean, but two months later there might be a new one.”

Last Watchdog’s Denise Szott contributed to this report.


(Editor’s note: LW has provided consulting services to WhiteSource.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone