How to Secure Your Open Source Components

By Gilad Maayan
Published 08/23/2019
Share this on:

Open Source Image #2

Many developers find they can do things quicker and better if they assemble applications using a variety of well built, third party components, many of them are open-source components. The rise in open source usage has led to increasing open source vulnerabilities. If you are a developer who uses open-source components, it is essential you understand what vulnerabilities they may contain and their potential risk. 

What Are Open-Source Dependencies and Why You Should Manage Them

Open-source components offer advantages for organizations and developers, but they also come with significant risks, such as exposure to different kinds of vulnerabilities. The following are some of the main reasons for the continued presence of open-source vulnerabilities.

Not being aware of dependencies
Developers are often unaware of the number of open source libraries they are using due to dependencies. There are two main types of dependencies, direct and transitive. Direct dependencies are the libraries your code is calling to and transitive dependencies are the libraries that your dependencies are linked to, which are dependencies of dependencies. 

Not being able to track your open source dependencies makes you lose control over your software to ensure its security and reliability.

Not keeping track of the open-source components you are using
When a security issue or a bug is reported by a specific open source developers community, sometimes you don’t even know that it is embedded somewhere in your code. In most teams, developers can freely choose whatever open source components and integrate it with their software. They are usually required to document their usage manually but you cannot trust manual reporting when it comes to your software security and quality.

Information about known vulnerabilities is hard to track
The rise in security awareness also led to a sharp boost in the number of suggested fixes offered by the open-source developer community. The open-source community is doing a great job securing open-source projects, but users are unable to fully benefit from their efforts. The problem is that information about vulnerabilities is hard to track since it is not published in one centralized location, rather scattered across hundreds of resources and usually poorly indexed and therefore unsearchable. Often, a developer won’t even know that a given open source component is vulnerable. This presents an ongoing challenge for developers with detecting open source components with known vulnerabilities.

All these issues lead to the conclusion that when you are using open source, you must manage it to reduce the security risk. You must have some kind of management system that continuously scans open-source repositories vulnerability databases, and cross-references this data directly against the open source components in your build. 

The open-source management system should automatically alert you about known security vulnerabilities or bugs, new versions, patches, and fixes in the components you are using.

How to Secure Your Open-Source Dependencies

To help you manage vulnerabilities in open-source code, review dependencies better and patch vulnerable components when identified, you should consider the following practices:

1. Use security tools to check for possible security vulnerabilities
Commercial and open-source tools have been developed to address the challenge of identifying the security vulnerabilities in different source components. If you do not have any technology to secure your open source usage, you can consider using the OWASP dependency check tool. 

The Open Web Application Security Project (OWASP), is an online community that produces free tools and technologies in the field of web application security. OWASP dependency check is a utility created for developers, which identifies project dependencies and checks if they contain any known, publicly disclosed, open-source vulnerabilities.

2. Set strict security rules and standards when using a dependency
It is important to have your developers be aware of the risk of vulnerabilities that open source components can generate to the application or program in particular, and the company in general. 

You should enforce policies requiring developers to maintain an updated inventory of the open-source libraries being used and to prove that they do not contain any identified vulnerabilities. Such policies may require explicit review and approval from your security team to prove the security of the software.

3. Test your components and dependencies
Testing the security of the open-source components you are using is the best way to ensure the safety of your applications and your organization. The timely and frequent analysis of open source components should be the same as your proprietary code. 

This is especially true as the component in question may have unknown security vulnerabilities or its dependencies may differ with each use case. It is possible for a component to be secure in a particular application but vulnerable in another.

4. Unsupported open-source components
In the case where some of the open-source components you are using may not have an active development or support community. In this case, these components go mostly unpatched and can become insecure. Ignoring these possible vulnerabilities can leave your application open to risk. When it comes to unsupported or expired libraries, it is advisable to consider switching to a similar component that is actively developed, or develop it in-house.

Wrap Up

In this article, you have learned how open-source dependencies present a serious challenge to development and security teams struggling to meet security objectives, and how important it is to manage these risks. 

A solution to this challenge is the use of an open-source management system. Such a system integrates with your build process and detects all open source components in your software every time you run your build, including all your open source dependencies.