Is Hidden Open Source Code Putting Your Apps at Risk?
Jan 15, 2008 4:00 AM PT
Many companies are running software on their Web servers that contains open source code with known vulnerabilities, a security firm has found.
Software risk management solutions firm Palamida has expanded its Vulnerability Reporting Solution detection capabilities to include 431 open source security alerts. The alerts include 148 that are considered to have high-severity common vulnerability and exposures ranging from cross-site scripting and buffer overflows, to SQL injections.
In conjunction with the expanded detection capabilities, Palamida disclosed what it identified as the top five most overlooked open source security vulnerabilities found in enterprise audits during 2007. The top five vulnerabilities are based on an analysis of more than 300 million lines of code across multiple verticals that include financial services, technology and government.
"The most popular projects appear in every test. This always surprises companies. There is from three to 10 times the use of open source code [in software enterprise uses] than companies realize," Theresa Bui-Friday, cofounder of Palamida, told LinuxInsider.
Top Five Details
Palamida provides patch information for each of these vulnerabilities here.
Apache Geronimo is a free software application server developed by the Apache Software Foundation. A login weakness allows hackers to bypass authentication by allowing blank username and password.
JBoss Application Server is a free software / open source Java EE-based application server. Some versions permit remote authenticated users to read or modify arbitrary files and possibly execute arbitrary code.
Libtiff is a library for reading and writing Tagged Image File Format files. It also contains command line tools for processing TIFF files. Some versions allow attackers to execute integer overflow and other unspecified vectors involving unchecked arithmetic operations.
Net-SNMP is software suite for using and deploying the SNMP protocol. Some versions allow remote attackers to cause a denial of service crash of a network or Web site.
Zlib is a software library used for data compression. Some later versions allow remote attackers to cause a denial of service crash and a buffer overflow.
"For example, there can be as many as 233 versions of Zlib on a new laptop. Ten percent of them are out of date and unstable," Bui-Friday said.
The cornerstone of the Palamida Vulnerability Reporting Solution is the vulnerability library. It is a database that contains signatures enabling unique detection of almost two million open source files with reported vulnerabilities. The library contains 431 reported vulnerabilities associated with the most common open source projects Palamida finds embedded inside enterprise applications.
Palamida's VRS is detection and reporting software that discovers and identifies all unknown open source code inside internally developed enterprise applications. The program gives a company an immediate report on its existing vulnerabilities.
The purpose, according to company officials, is to provide a way for users to further develop their security policies for open source use.
The program has four goals:
- Identify all open source in the code base
- Pinpoint its exact location within the code base
- Measure third-party code dependence
- Track associated vulnerabilities
Palamida was not targeting open source projects as inherently more vulnerable than commercial software. However, users need to be aware of the risk all software poses as open source code becomes more widespread, the company said.
"Applications built in the last five years based on open source code is 50 percent," Bui-Friday said. "We find at least 100-200 open source projects in software we sell."
Open source is not any more vulnerable than proprietary software. Its sponsors provide quick and easy paths to patching vulnerabilities. Some are better at doing this than others, said Mark Tolliver, CEO of Palamida. The VRS program provides companies with a tool to reduce risks of attack.
"Historically, organizations have taken a passive approach to managing their code base contents. They rarely had a complete view and would not investigate until legal action -- usually connected to intellectual property issues -- forced them to do so," Tolliver told LinuxInsider. "With the explosion in the use of open source software, organizations today need to actively manage their use carefully, avoiding both IP issues as well as vulnerabilities."
According to research firm IDC, most application development teams struggle with delivering projects, with all of the intended features and functions, on time and within budget. IDC notes that in many development teams, security is not even considered, according to Bui-Friday.
Yet any redevelopment efforts necessary to repair security vulnerabilities end up costing organizations much more both financially and strategically, IDC concludes in its Insight Report, "Driving Effective Security Best Practices and Approaches for Application Lifecycle Management."
"In 2007 malware attached to undocumented code was responsible for major security breaches such as TD Ameritrade to the United States Pentagon. Organizations must implement risk management processes that deal with security issues at their origin, from inside the code base," said Tolliver.
Not all industry watchers agree that embedded open source code poses higher risks. Use and patching issues are covered by open source licensing.
"There are problems with vulnerability across the board. Open source tends to be quicker cleaning up trouble due to [its] community driven nature," Paul Henry, vice president of technology evangelism at Secure Computing.
Patching open source parcels by the vendors that use them in their own products is not so uncommon, he insisted. This is done all the time. While there are some small incidents of difficulty, it is not a big problem, he said.
Not so, added Bui-Friday. It is common for third party software purchases that contain open source components.
"Software providers may not know that they used unpatched code that came from public domain and freeware sources. Nobody is monitoring this," she countered.
IDC Senior Analysts Melinda Ballou, Charles Kolodgy and Melissa Webster found that the root cause of many application security vulnerabilities lies in the application source code.
Organizations have been slow to demand that their application development groups produce secure software, their report concluded. So long as insecure applications can be safely walled off from attack behind perimeter defenses, organizations have not been willing to pay the higher costs associated with security.