Q&A: What all companies should know about their exposure to ‘open-source’ vulnerabilities

By Byron V. Acohido

Hackers were able to ransack Equifax last year and steal personal data for some 144 million citizens by exploiting a vulnerability in an open source component, which the credit bureau failed to lock down.

Related article: Beware of open-source vulnerabilities lurking all through your network

The hackers leveraged a vulnerability in something called Apache Struts2, an open-source application framework that supports the credit bureau’s web portal. It is widely used by developers of Fortune 100 companies to build web applications.

It turns out that Apache Struts2 is widely deployed among small and mid-sized businesses, as well. LastWatchdog recently had a conversation with Rami Sass, CEO and co-founder of WhiteSource, a supplier of open source management systems. We discussed the exposure that companies face, with respect not just to Apache Struts, but also many other open source components. Here are excerpts, edited for clarity and length:

LW: How would you characterize the exposure companies are facing today due to the engrained use of open source systems?

Sass: Because open source projects like Apaches Struts2 for instance are used by so many organizations, many of which are handling valuable customer data, all kinds of businesses and organizations can find themselves exposed to the risk of having their data stolen. For an enterprise, this can be destructive for their bottom line. SMBs can be wiped out if a breach occurs, unable to weather the storm from the fallout.

Free trial: White Source open source management solution

LW: Just how dependent are companies on open source at this point in time?

Sass: Open source code is the cornerstone of the software industry, comprising an estimated 60% to 80% of the products out there. Developers in all sectors depend on open source for working faster and more efficiently, using it to add necessary functions to their apps. It doesn’t matter if you’re Microsoft or a small app developer, if you’re making apps, then you’re using open source. In the case of the Equifax breach, they were hacked through the vulnerable version of Apache Struts2, a very popular open source project that is used in web apps.

LW: What should company decision makers understand about open source vulnerabilities?


Sass: The primary risk when it comes to open source components is from known vulnerabilities. Because the vulnerabilities are announced and listed online, hackers don’t have to go through the work of analyzing the components for weaknesses. They just need to ping companies’ systems and find one that hasn’t implemented the latest patch to find their next victim.

Furthermore, you can’t remediate if you don’t know what you have. Most developers will seek out an open source component, add it to their product, and forget about it without properly adding it to their inventory. While this is a problem on many levels, one of the biggest issues is that developers won’t know that they are using vulnerable components when they are disclosed, so they won’t know to go in and make the patches. This means that most organizations that aren’t using the right tools are vulnerable, and they don’t even know it.

LW: What should we expect from malicious hackers through 2018?

Sass: One of the most interesting developments thus far this year has been the release of Autosploit by the security researcher/hacker VectorSEC at the tail end of January. He essentially took the searching power of Shodan and the exploit capabilities of Metasploit, and made an all- in-one, fully automated “search and exploit” tool that takes all of the work out of hacking.

Related article: AutoSploit makes mass exploitation easier

This makes it easy for anyone, even those without any serious hacking skills, to break into unpatched systems. It also tips the balance, allowing hackers to punch above their weight, targeting massive lists of companies based on whether they are using general open source projects.

This means that companies don’t have to be specifically targeted in order to be at risk. Anonymity is no longer a good defense. There are automated systems, such as the one we offer, that can make mitigating open source exposures easier and scalable. As the attackers automate hacking processes, companies are going to need to do the same.

LW: As a company decision maker, how do I begin to deal with my open source risk?

Sass: There are solutions, like the one offered in this WhiteSource free trial, that give you full visibility over all of the open source components in your environment, tells you which ones are vulnerable, and gives you the power to set policies organization-wide to keep your products safe and compliant. The first step though is to understand that you are already using open source in your apps, and that even as they have the power to make your development more efficient and speedy, their security risks are something that you have to manage before you are breached.

(Editor’s note: Last Watchdog has supplied consulting services to WhiteSource.)


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone