Considering the dynamic nature of today’s IT industry, it’s like waiting for the day when someone from somewhere posts on social media that he/she has hacked your organization and leaked customer data. In recent times, we have heard the news of hacking from all sectors be it because of SolarWinds, compromising their supply chain, or Log4jShell where someone found a way to do RCE (Remote Code Execution) or the latest one Spring4Shell where attackers found a loophole perform RCE via giving query params to an underlying class which shouldn’t be exposed.
These attacks have become so prominent in the industry that organizations are now realising the need to have special task forces to stop such occurrences. But the truth is it’s inevitable. The reason lies in the very own dependency model every software or product has on Open Source. Open Source has slowly become the backbone of all the new-age cloud products. It’s easy to refer to some library developed by a person or group of people to carry out a task rather than writing your code. This reduces Time-To-Market drastically for companies as now they are focusing on the business problem rather than worrying about writing boilerplate code. But it also possesses a risk that the library which got included in the source code of their product can act as a backdoor for attackers or maybe a pandora box for any new type of vulnerabilities that have not surfaced yet.
The freelancers or groups of people who create these libraries mostly have followed a collaborative development style. Where the code is not written by a single organization but rather been contributed by individual developers across the world. These developers may not always have a good intention or maybe not be able to test the boundary conditions where the code can break. As in the case of “jackson-databind” vulnerability, the underlying code broke to handle code nesting beyond 1000 levels. As mentioned earlier the developers of this library might have no intention to leave this gap but lacks the testing environment or business use case to verify each possibility.
The new-age developers tend to use Open Source without realising the amount of risk they posses to the organization. With so diversified development stacks and programming languages, it’s also a humungous task for organizations to keep a track of every library used in their products. These libraries often lose interest from the developing community or the core team who developed the library abandons the project, which makes life tougher for the organizations as they now either must replace the library with some new alternative or re-write the whole code.
Sometimes, rather than taking advantage of issues in libraries attackers take vulnerabilities of the host operating system. The latest issue found in Debian OS (https://nvd.nist.gov/vuln/detail/CVE-2022-26847) put the OS at risk. Now, this makes the problem multifold for the organization where they are dependent on Open-Source operating systems to save cost for their operations and licensing but ended up taking a risk of open-source vulnerabilities.
As per the report from GitHub, a vulnerability on average might takes 4 years to be found by security researchers and marked as a known vulnerability. This means in the worst case for 4 years attackers were able to take advantage of the loophole or backdoor and were able to perform any malicious activity. This raises a big concern on whether an organization should be using Open-Source software.
With the known risk of vulnerabilities, open-source organizations are left with broadly two options. First, to become closed systems and develop everything on their own as we have in legacy software. The second is to come up with additional measures while using the Open Source. In the new age, product development can’t be done on closed systems because of giving platform or vendor-neutral solutions to the customers. In the 1960s IBM should provide both infrastructure and the software via Mainframe, as Mainframe was a closed system where the hardware, operating system and application development use a technology solely owned by IBM. This gives a bleak chance of having security issues. But, now with cloud deployment, we have to provide solutions like SaaS (Software As Service) where even we have taken care of software development practices the underneath VM (Virtual Machine) may still possess a risk.
An ideal solution to avoid these issues is to be more vigilant and by doing through protection or hardening of both software and underlying OS so that only required features are enabled at any given time. If we must make changes in the OS configuration or enable any new mode of communication, we should perform a detailed analysis and follow a rigorous change management process. The next solution that organization should deploy is IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems) solutions, these solutions become saviours while dealing with cyberattacks. The IDS (Intrusion Detection System) can help the organization by analysing the incoming and outgoing traffic and detecting a probable intrusion like having too many “Unauthorized Requests” for a specific resource indicating that the resource might be under DoS (Denial of Service) attack. The IPS (Intrusion Prevention System) on the other hand prevents any data from leaving the organization systems which might not be intended. Like if someone is taking advantage of protocol vulnerability to access more data than it should. Like in the case of the famous Heartbleed vulnerability in 2014, the attackers use a loophole of OpenSSL vulnerability to access more data. So, by using IPS when such a can be avoided where organizations can set up some rules for specific communication at the network layer.
In the end, the guidance we are trying to provide with this article is that Open-Source software usage is inevitable in today’s world. But, as an organization, we have accountability and responsibility to safeguard customers’ data and maintain the integrity of our products. Now, the organization must be more vigilant and perform additional measures on top of classical measures taken in past to provide secure products to customers.
Sagar is a Senior Developer & Product Security Lead with SAP Labs based out of Bangalore, Karnataka. He is a CISSP certified, certified cloud computing architect, Blockchain Community Certified Architect and database solution advisor with over 10+ years of experience in secure software designing and cross platform architectural designing. He had published many papers in international journals like IEEE, Springer etc. on cross-domain communication and interoperability for cutting-edge solutions
Yashi is a Senior Solution Advisor with Deloitte USI, Risk & Financial Advisory services. Yashi is a multi-skilled professional with 9 years of consulting experience in Cyber Security & Risk Management. She has wide-ranging experience working with Telecom, Finance and FMCG clients globally in a different capacity within 1LOD and 2LOD teams
She is a certified Lead Auditor, Scrum Master, AZ-900 professional and One Trust certified GRC professional.
soo true…risk is inevitable.
companies should be more engaged into whitehat competitions and giving rewards on venerability finders.