The open-source software (OSS) market is thriving as an increasing number of SMBs (Small & Medium Sized Businesses), and corporations integrate these offerings into their security tech stacks. Compared to proprietary solutions, OSS is cost-effective, can be obtained ready-made and customized to suit specific needs, and is scalable affirms Migo Kedem, VP, Growth, SentinelOne.
It is estimated that the OSS market will be worth US$ 120.52bn by 2032 with a CAGR of 16.4%. Due to the growing reliance on open-source frameworks, libraries and tools, they have become key components of business operations. Unfortunately, this has also led to a 633% year-on-year increase in cyberattacks launched against open source repositories.
There is now mounting evidence that suggests threat actors are focusing on open-source surges, so organizations must build their security systems to respond; the 2020 SolarWinds attack has driven rapid change, however attacks continue to shake the digital community.
There are several risks that warrant discussion with regards to OSS deployments but perhaps the most worrying is out-of-date code; the 2023 OSSRA (Open-Source Security and Risk Analysis) Report found 89% of the codebases scanned were more than four years out-of-date.
Potential risks
To get ahead of this, DevOps and SecOps teams must thoroughly consider the potential risks they can bring into the organization including:
Limited support: OSS may not be backed by a support team and updates, meaning threat actors can exploit existing vulnerabilities to gain unauthorized access to a business’ systems.
Universal access: Open-source code can be acquired by anyone, which means threat actors can modify/manipulate it and deploy it as part of malicious campaigns.
Unqualified code: There’s no guarantee OSS solutions have been thoroughly tested by qualified experts to ensure its reliability and /or security.
Knock-on effect of supply chain attacks: Organizations can inadvertently introduce risk into their own environments, which can then also affect their clients downstream.
Keeping this in mind, it’s prudent for businesses to proceed with building their security tool stack around OSS cautiously. This means investigating software to make sure it is safe and dependable to implement; the burden of responsibility falls on security, IT and SecOps teams – they also play an invaluable role in putting best practices into play, to ensure OSS can be relied upon in the long-term by the business.
Starting right
The best way to kick off the investigation into implementing OSS solutions involves managing the risks surrounding dependencies and components. Businesses leveraging open-source libraries must be aware of all the dependencies with those libraries, and any libraries that a business’ code calls directly can be classified as direct dependencies.
In contrast, transitive or indirect dependencies differ since code that calls to a library that dependencies are linked to indicates you’re dealing with a dependency of a dependency. These nested dependencies can feature multiple layers in complex frameworks, and dealing with these complexities can be a challenge, as vulnerabilities could be exposed at any level.
Understanding dependency
It’s crucial then that developers and security teams understand each individual level of dependency, and how a security vulnerability impacts the projects they are connected to. The OWASP dependency check scanner can be useful in exposing a business’ open-source usage in such cases.
In addition, it’s critical a business has clear policies in place on OSS usage; business leaders must work closely with SecOps, IT teams and the organization’s security team to create strict policies and rules with regards to dependencies.
Ahead of using open-source components, developers need training on the risks associated with the software, and should understand their firm’s policies on review, testing and approval processes. Testing software is critical and it’s worthwhile putting a process in place for testing and analysis of open-source components consistently (like proprietary code reviews).
Keeping An Eye on Components
One of the benefits of open-source resources is users can check and modify source code to verify the software does what it claims. While this means it’s possible to identify security flaws or vulnerabilities in the code, the reality is OSS is typically maintained by unpaid volunteers who may not have the expertise, inclination or time to focus on regular security reviews.
When using OSS, security teams should be able to track, access and protect the environment, and this can be done by creating a centralized and organized inventory of all open-source components, ideally with a detailed Bill of Materials (BOM).
One important tip about choosing open-source components for safe and sustainable use is to choose components that have active development and/or a support community. Unpatched components significantly heighten the risk of exploitation and, similarly, businesses using expired or unsupported libraries make it harder for their security teams to keep track of dependencies, incoming fixes, and new vulnerabilities.
Integration
Once SecOps or DevOps teams trust OSS and integrate it into the business’ software stack, it’s time to consider how that code will be maintained.
Developers can fork implementations and use private repositories to update software components to mitigate this issue but there are still risks: if package managers are configured to default to a public repository and developers use a package name that can be claimed by an attacker, dependency confusion attacks can take place.
Mitigating this risk involves making sure private repositories are called by package managers rather than configured to default to a public repository, code signing is leveraged to verify package authenticity and auditing and verifying externally sourced code occurs on a periodic basis.
The growth of the OSS market can be directly attributed to a growing demand for ease-of-use, innovation, scalability and value for money. As organizations integrate OSS into their systems and rely on them in day-to-day operations, exploitable vulnerabilities within open-source code and tools have been targeted by global threat actors.
Defending against these attacks successfully calls for vigilance and the use of autonomous, AI-driven cybersecurity platforms for 360-degrees protection.
Migo Kedem
Migo Kedem, VP, Growth, SentinelOne, is the visionary creator of SentinelLabs. He leads the charge in innovation, AI, and groundbreaking cybersecurity research. With a knack for simplifying complexity and a pragmatic risk-taking approach, Migo’s work embodies a commitment to a safer digital life.
SentinelOne
SentinelOne, is a US autonomous cybersecurity company. SentinelOne’s Singularity™ Platform detects, prevents, and responds to cyber-attacks at machine speed, empowering organizations to secure endpoints, cloud workloads, containers, identities, and mobile and network-connected devices with speed, accuracy and simplicity.
