Open-source software – code that is freely available for anyone to inspect, modify, enhance and otherwise reuse – is everywhere.
It’s easy to understand why open source is so popular. Building on flexible, modular code that thousands of independent programmers have tested, debugged, and refined gives developers a significant headstart, enabling rapid, cost-effective production of reliable, high-quality software. Version control systems help manage open-source code files, while public repositories such as GitHub store code libraries for provide easy access. Common open-source tools include Linux, Apache, and Java.
The Ubiquity of Open Source
Open-source code is the foundation on which most companies build their proprietary code and applications. Developers see little reason to reinvent software when code that handles just the functions they need is freely available on GitHub. In fact, open source is so widely used that it is almost impossible to find solutions without it. In a recent analysis, Synopis examined anonymized audits of 1,546 codebases across 17 different industries and found that a whopping 98% contained open source code, which comprised 75% of all codebases.
The Risks of Open-Source Code
Along with convenience and increased productivity, open source comes with some risk.
Audited codebases had, on average, 158 vulnerabilities. 84% of the codebases had at least one vulnerability in their open-source code, up from 75% a year earlier. 60% percent had “high risk” vulnerabilities, meaning vulnerabilities that have been exploited in the past, have documented “proof of concept,” or are classified as remote code execution vulnerabilities.
The dynamic nature of open-source code results in a good deal of uncertainty and risk. Any change that any developer makes, or any new branch, may introduce a new vulnerability to a previously vulnerability-free open source library. It is therefore essential for developers to stay on top of the most recent information available for the libraries they use.
The log4j vulnerability (CVE-2021-44228), which appeared in December 2020, is the most stunning example of the risks of open-source code – “the most serious vulnerability I have seen in my decades-long career,” according to Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency.
Log4j is a logging routine that’s part of the Apache logging code, which is written in Java. The vulnerability allows hackers to take control of any server running it simply by sending malicious code to the log. The code is so commonly used that billions of devices are exposed.
High profile cases such as log4j and the npm packages get a lot of attention but there are many vulnerabilities in less commonly used pieces of code that are also potentially hazardous. And since companies might not even keep track of all the open source code used in their software, it is hard for them to stay on top of vulnerabilities once they are discovered.
Protecting Against Open Source Vulnerabilities
Given the vast libraries of open-source code available, vulnerabilities may be anywhere and take any form. No single security technique or solution can protect against all potential exploits.
The best chance of staying protected, therefore, is to leverage a comprehensive Zero Trust based solution, such as Ericom’s ZTEdge platform, which integrates an array of tools that together protect against all cyberthreats, including zero-day exploits, regardless of where they are found.
ZTEdge Web Security protects users from malicious code blocks like those in the infected npm packages by leveraging remote browser isolation (RBI) to keep all code from the web off user devices and networks. When users click a link or enter a URL in their browser, the site actually opens in a virtual browser, located in a remote cloud-based container. Only safe rendering data reaches the endpoint, where the user interacts with it as always, via their usual browser. Once the user stops interacting with the site, the container is destroyed, along with any malicious content.
To address vulnerabilities like log4j, ZTEdge includes Intrusion Protection System (IPS) capabilities that monitor traffic flows for suspicious behavior. Even before the log4j vulnerability was known, IPS would have spotted suspicious behavior related to an attempted exploit, such as a hacker scanning for log4j, or trying to execute a malicious Java string, or moving laterally inside an organization’s server to search for applications using log4j.
Once suspicious behavior is detected, ZTEdge stops the exploit and issues an alert including details about the attempted attack.
ZTEdge is continually updated with the latest information on attack patterns; a log4j vulnerability update was issued within hours of the exploit being published. Since ZTEdge is cloud based, updates immediately take effect, with no action required on the part of the customer.
The ZTEdge platform provides a host of additional protections, including secure remote access to user desktops and SaaS applications. Zero Trust Network Access, together with built-in Identity and Access Management, enforces least privilege access to minimize potential damage in the event that a malicious agent does manage to penetrate into the network.
Open-source code is an integral part of virtually every company’s IT infrastructure. Avoiding all use of open source is simply not an option today; it is too integrated in the basic architecture of modern networks, and the productivity advantages when developing new apps are impossible to ignore.
It is, however, possible for companies to protect themselves from the risks inherent in using open-source code by keeping track of the code they use and patching vulnerabilities as they become public, and by being implementing a comprehensive Zero Trust security solution such as ZTEdge.