
Staying Secure with Open Source


Aaron Tantleff, Partner, Foley & Lardner LLP
Companies today are faced with ever-increasing pressure to innovate; quickly. For most, it is a function of market reality–the company is being asked to do more, with fewer engineers, and in less time. If the software is old, outdated, or it has been more than a year since the last major release with new “killer” features, customers may perceive your company as behind the times. As a result, many companies resort to the use of Open Source Software (OSS), usually under an Apache or GNU General Public License, for parts of their software offering. On the surface, this makes sense. Why should a company expend its valuable resources to reinvent the wheel when it can just leverage what somebody else has done for free?
Relying on OSS saves time and money but can lead to unintended and highly consequential results. For instance, OSS may compromise security. It is widely believed that OSS is more secure than proprietary software. Some believe that many programmers, from a wide variety of disciplines, review the source code and test the application. At least one will catch all of the software bugs and security flaws, right?
As the Heartbleed bug of 2014 should have shown us, this does not really happen in practice. Heartbleed is widely considered to be one of the biggest failures to date. Heartbleed effected an application called OpenSSL, which was used to encrypt the information for hundreds of millions of websites. A bug permitted invalid input (remember, hackers don’t think in terms of valid inputs –they think in terms of invalid inputs) to cause a website to dump all of the information left around in its buffer. That information could include anything that was left lying around – account numbers, passwords, social security numbers, etc.
The best solution may lie in the old adage “trust, but verify”
Nobody caught it because software engineers, under the pressure of short schedules and to get the latest and greatest gadget out, were fooled into believing that because OSS can be more secure, it is infused with the magic security pixie dust such that it is more secure.
Why did Heartbleed fail? One reason, while OSS may have more eyeballs on it, it suffers from inconsistent coding methodology.
While a company may (and if not, should) have some standard coding guidelines and conduct design reviews to ensure those guidelines are consistently followed for production code, OSS has none of that. While some of it may be great, particularly the code designed by a group of developers who collaborate closely with similar well thought out and reproducible design methodologies, not all OSS is like that. One security developer at FreeBSD (an Open Source group) noted, “OpenSSL… sucks. The code is a mess, the documentation is misleading, and the defaults are deceptive. Plus, its 300,000 lines of code that suffers from just about every software engineering ailment you can imagine.” In other words, the poor design process made this incredibly commonly used code a train wreck that costs somewhere around $500M.Jason White, CAO & General Counsel, Toshiba America Business Solutions
In addition to the lack of structured code in some OSS, there is a hidden danger for companies using OSS in their products. Because OSS is designed, developed, and ultimately maintained on a volunteer basis, it may become orphaned, without any individual or group of individuals to maintain it. Who can blame them?
Eventually even the best of us has to make a living and sometimes life gets in the way and there is no time for such volunteer work. Like the new security vulnerabilities are found all the time in proprietary code (Microsoft is famous for “patch Tuesday”), those vulnerabilities may also be found in OSS code. When it is, and the OSS is orphaned, the vulnerability may be around for years afterwards. Verizon’s 2015 Data Breach Report reported that 97 percent of all exploited vulnerabilities were a result of just 10 vulnerabilities published in Mitre’s Common Vulnerability Exploits (CVE). Eight of these 10 had been known and publicized for more than five years. In fact, since 2013, the CVE database has experienced a huge spike in known vulnerabilities for common libraries such as Open SSL. The older the code, the more likely it is that there is a CVE that affects it.
While not all unfixed vulnerabilities can be attributed to OSS, the chances of a bug not being fixed in orphaned OSS code are significantly higher than it may be for proprietary code where a company’s reputation may be on the line.
The U.S. Department of Homeland Security estimates that 90 percent of a typical application is comprised of OSS components, and as much as 71 percent of applications have a critical or severe vulnerability in their OSS components. Take, for example, the IoT market. As new devices come out, old models lose their support as the company moves their engineers over to develop next year’s product.
So what is a technology company to do? It is doubtful they will stop using OSS, and it would put them at a competitive disadvantage to do so. The best solution may lie in the old adage “trust, but verify.” It’s fine to use OSS, but a company shouldn’t believe that it is without bugs or security vulnerabilities because it is OSS. Instead, companies should test the package, and their overall product, for security vulnerabilities.
At a minimum, the company’s software test engineers should be testing against CVE’s with a score of seven or higher, and maybe even 4 or higher. (Heartbleed itself was originally scored as a five, but the scoring system has been revised to place it significantly higher.) The company should also be vigilant during code reviews for evidence of issues identified in the CWE/SANS Top 25 Most Dangerous Software Errors database, the sister security issue list to the CVE database and publicized from Mitre. There is a multitude of commercial tools to analyze source code for security vulnerabilities, including the CWE/SANS Top 25 Most Dangerous Software Errors. Which begs the question, which tests the commercial security tools for security issues?
Through such vigilance, and a healthy skepticism about the use of OSS, companies can continue to reap the efficiencies of OSS. Homeland Security estimates that if only 50 percent of software vulnerabilities were addressed prior to production, costs could be reduced by 75 percent. Plus, there is a side benefit to verifying code before production - minimizing the chances of becoming the latest security issue on the front page news. Thanks Steven Millendorf at Foley & Lardner LLP for all his assistance with this article.
ON THE DECK

Featured Vendors
Expert-Nation.com Network: “Facts Matter,” and Subject Matter Expert Witnesses Bring the Facts from Expert-Nation.com Network
Canon Business Process Services: Timesaving, Cost-Effective Litigation Support Services and Technology for Law Firms
EDITOR'S PICK
Essential Technology Elements Necessary To Enable...
By Leni Kaufman, VP & CIO, Newport News Shipbuilding
Comparative Data Among Physician Peers
By George Evans, CIO, Singing River Health System
Monitoring Technologies Without Human Intervention
By John Kamin, EVP and CIO, Old National Bancorp
Unlocking the Value of Connected Cars
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
Digital Innovation Giving Rise to New Capabilities
By Gregory Morrison, SVP & CIO, Cox Enterprises
Staying Connected to Organizational Priorities is Vital...
By Alberto Ruocco, CIO, American Electric Power
Comprehensible Distribution of Training and Information...
By Sam Lamonica, CIO & VP Information Systems, Rosendin...
The Current Focus is On Comprehensive Solutions
By Sergey Cherkasov, CIO, PhosAgro
Big Data Analytics and Its Impact on the Supply Chain
By Pascal Becotte, MD-Global Supply Chain Practice for the...
Technology's Impact on Field Services
By Stephen Caulfield, Executive Director, Global Field...
Carmax, the Automobile Business with IT at the Core
By Shamim Mohammad, SVP & CIO, CarMax
The CIO's role in rethinking the scope of EPM for...
By Ronald Seymore, Managing Director, Enterprise Performance...
Driving Insurance Agent Productivity with Mobile and Big...
By Brad Bodell, SVP and CIO, CNO Financial Group, Inc.
Transformative Impact On The IT Landscape
By Jim Whitehurst, CEO, Red Hat
Get Ready for an IT Renaissance: Brought to You by Big...
By Clark Golestani, EVP and CIO, Merck
Four Initiatives Driving ECM Innovation
By Scott Craig, Vice President of Product Marketing, Lexmark...
Technology to Leverage and Enable
By Dave Kipe, SVP, Global Operations, Scholastic Inc.
By Meerah Rajavel, CIO, Forcepoint
AI is the New UI-AI + UX + DesignOps
By Amit Bahree, Executive, Global Technology and Innovation,...
Evolving Role of the CIO - Enabling Business Execution...
By Greg Tacchetti, CIO, State Auto Insurance
Read Also
What It Truly Means For IT Security To Bea Business Enabler
Digital Transformation 2 Requires a CIO v2.x
Leverage ChatGPT the Right Way through Well-Designed Prompts
Water Strategies for Climate Adaption
Policy is a Key Solution to Stopping Packaging Waste
Congestion-Driven Basis Risk, A Challenge for the Development of...
