Technology How open source security flaws pose a threat to organizations
Biden looks to FEMA to help combat domestic terrorism in wake of Capitol attack
The Biden administration is leaning on the Federal Emergency Management Agency to help state and local authorities combat domestic extremism in the United States. © PAUL J. RICHARDS/AFP/Getty Images The Department of Homeland Security logo is seen at the new ICE Cyber Crimes Center expanded facilities in Fairfax, Virginia July 22, 2015. The forensic lab combats cybercrime cases involving underground online marketplaces, child exploitation, intellectual property theft and other computer and online crimes. AFP HOTO/Paul J. Richards (Photo credit should read PAUL J.
Applications that use open source code offer a host of benefits, including transparency, flexibility, cost effectiveness and community support. But how do such products fare on security? Though the community-based approach toward open source means that security flaws should be identified quickly, patching those flaws and applying the patches is another matter.
In a, design automation company Synopsys looked at commercial applications that use open source code to see how they dealt with security flaws.
How ransomware is evolving as a threat to organizations
Cybercriminals know they can make money with ransomware and keep getting bolder with their demands, says Palo Alto Networks' Unit 42.The number of victimized organizations hit by each ransomware family with their data publicly leaked in 2020.
All of the companies seen in the marketing tech industry, which encompasses lead generation CRM and social media, contained open source code in their applications. Of these, 95% of the codebases had open source vulnerabilities. Some 98% of the codebases in the healthcare sector contained open source, and 67% of them had security flaws.
Some 97% of the codebases in the financial services industry contained open source, with more than 40% found with vulnerabilities. And 92% of the codebases analyzed in the retail and e-commerce sector used open source, with 71% discovered with security flaws.
Many of the security holes were the result of abandoned open source components. A full 91% of the codebases had open source dependencies with no development activity over the past two years, which means no improvements in code and no security patches.
9 tips to protect your organization against ransomware
Over the past six months, the number of organizations hurt by ransomware shot up by more than 50%, says Check Point Research.SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)
"That more than 90% of the codebases were using open source with no development activity in the past two years is not surprising," Tim Mackey, principal security strategist with the Synopsys Cybersecurity Research Center, said in a press release. "Unlike commercial software, where vendors can push information to their users, open source relies on community engagement to thrive. Orphaned projects aren't a new problem, but when they occur, addressing security issues becomes that much harder."
Outdated open source components also played a role in security flaws. Some 85% of the codebases examined by Synopsys had open source dependencies that were out of date by more than four years. These components are supported by active developer communities that publish security fixes, but the fixes aren't necessarily being applied by commercial customers.
Open source flaws are on the rise. In 2020, the percentage of codebases with vulnerable open source components reached 84%, a 9% increase from 2019. Over the same time, the percentage of codebases with high-risk vulnerabilities rose to 60% from 49%. Several of the top open source flaws discovered in codebases in 2019 persisted in 2020.
Linux kernel security uproar: What some people missed
Commentary: It's not really very interesting that University of Minnesota researchers introduced bugs into the Linux kernel. What matters is what would have happened next.However you feel about what these researchers did (Chris Gaun, for example, argued, "A researcher showed how vulnerabilities can EASILY make it through [the] approval process"), this isn't really about Linux, or open source, security. It's always been the case that it's possible to get bad code into good open source projects. Open source software isn't inherently secure.
To help organizations protect themselves against open source vulnerabilities, Mackey shared the following tips with TechRepublic:
- Create an inventory of your open source assets. Reducing exposure to vulnerabilities starts with a full inventory of your open source assets. Ideally, this inventory is refreshed whenever new or updated software is deployed so you can tell if everything is patched properly. Be sure to include the origin of each open source component because that will tell you where to find the right patches.
- Review how the supplier handles patches. When you acquire a new device or application, review how the vendor issues software patches. If you can't determine that on your own, reach out to the support team.
- Consider a different vendor when necessary. If the vendor can't help you or doesn't seem to be updating its own products, that means it's likely time to find a different vendor. If the supplier isn't keeping up with patches, then security probably isn't as high a priority as it should be.
- Review security patches before you apply them. Be sure to completely review any security patch before you apply it. This is especially critical with open source code as the developers don't know your particular environment and can't test for it.
What is ransomware? Everything you need to know about one of the biggest menaces on the web .
Updated: Everything you need to know about ransomware: how it started, why it's booming, how to protect against it.What is ransomware?