Organisations of all sizes and types are expanding their use of cloud and mobile applications, which rely heavily on open source components; and these software elements live outside the company firewall. Hackers have learned that applications are the weak spot in most organisations’ cyber security defenses and widely available open source vulnerability exploits have a high ROI, allowing them to compromise thousands of sites, applications and IoT devices with minimal effort. With that in mind, here are four predictions concerning open source security that I think are distinct possibilities for the coming year.
1. The number of cyber attacks based on known open source vulnerabilities will increase by 20 percent.
Why? While open source is no less (and no more) secure than commercial code by itself, there are several characteristics of open source that make it an attractive target:
- Open source use is ubiquitous, and therefore offers a target-rich environment.
- Open source vulnerabilities are publicly disclosed in the National Vulnerability Database (NVD), and references are often made to exploits that “prove” the vulnerability.
- The support model for open source is usually the opposite of commercial software. For the latter, a service level agreement is typically in place that requires the vendor to “push” updates to its customers and notify them of security issues. With open source, users have elected to download the component and comply with its license. They also take responsibility for monitoring the project for updates, including security issues, and deciding whether or not to “pull” the updates.
2. In 2017 we will continue to see high-profile, high-impact breaches based on open source vulnerabilities disclosed years previously, such as Heartbleed, Shellshock, and Poodle.
Why? Black Duck’s Open Source Security Audit Report found that, on average, vulnerabilities in open source components used in commercial application were over 5 years old. The Linux kernel vulnerability discovered 8/16 (CVE-2016-5195) had been in the Linux code base since 2012. Most organizations don’t know about the open source vulnerabilities in their code because they don’t track the open source components they use, and don’t actively monitor open source vulnerability information.
3. 2017 will see the first auto manufacturer recall based on an open source breach.
Why: A typical new car in 2016 has over 100 million lines of code. Automobiles are becoming increasingly intelligent, automated, and most importantly, internet-connected. This will exacerbate a problem that already exists — carmakers don’t know exactly what software is inside the vehicles they manufacture (most of the software that binds sensors and other car hardware together comes from third-parties). That software almost certainly contains open source components with security vulnerabilities. Vulnerabilities in open source are particularly attractive to attackers, providing a target-rich environment that may have disastrous implications to a moving vehicle.
4. At least one major M&A deal will be put in jeopardy because of a discovered security breach.
Why: As the Yahoo data breach demonstrated, any M&A transaction can be hindered by software security issues, especially when for more and more companies the software is their business. Companies develop their proprietary software code over the course of many years and many millions of dollars, and the software is their distinct competitive advantage. Open source issues in their proprietary code can be very damaging to the value of the software franchise from a license compliance and application security perspective. With some buyers if there’s an IT issue or an open source issue, they will not acquire the company at any price.
Even though open source is an essential element in nearly every piece of software today, most companies are blind to possible security issues in the open source components contained in their code – issues which often remain undiscovered until a code audit is performed.
While these predictions should be of concern, I want to emphasize that open source is a great tool, and not something that organisations should fear. Open source is not the problem – it’s a lack of visibility into open source that’s the issue. As I noted at the beginning of this article, open source is no less (or more) secure by nature than commercial code – it’s software and it will have vulnerabilities. Open source only becomes a problem when organisations don’t have visibility into the open source they use, or don’t track the ongoing security of the open source components in their code.