momius - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

Amp up OSS security with these steps

A test vendor's CTO describes the OSS security mistakes that enterprises make, such as not patching vulnerabilities or inaccurate inventory dependencies.

Custom code often comprises less than 20% of an application, and the rest is open source. Antony Edwards, CTO of test automation vendor Eggplant, formerly called Testplant, sees little open source software security focus in enterprise software development practices. Instead, many businesses do code inspection and review of only their original code, and leave at least 80% of their products' code unsecured.

Most companies that use unsecured open source code in products have not suffered data breaches -- yet. Credit goes to the OSS project teams, which do a good job protecting code, Edwards said. He noted that secure code should be the first line of defense in OSS security. Enterprises that fail to take further steps might see their luck run out.

Edwards shares advice and insights on open source code security, in this Q&A with SearchSoftwareQuality.

Why do enterprises fail to respond to OSS patch notifications, the Equifax mistake that caused its data breach?

Antony Edwards: Every report I've ever seen says that the majority of data breaches could have been prevented by having a quick, reliable patching process. It's nothing fancy, just following the OWASP security vulnerabilities lists.

Unfortunately, this [patch management process] doesn't fit with the way a lot of companies run. They all like to be super agile, ad hoc and fast. So, having a boring, repeatable patching process isn't in most companies' DNA anymore.

One workaround for this problem is using managed servers. Amazon [Web Services], [Microsoft] Azure and other cloud-based managed servers are great at automated patching.

Which old-school OSS security practices and tools remain useful today?

Antony Edwards, CTO of EggplantAntony Edwards

Edwards: The number one best practice is using components that are widely used. The more used, the more hardened it'll be. The most secure OSS codebases are Linux and Apache. It's been a long time since someone found a real major exploit in the core of those projects. Steer clear of using really new OSS in critical components. It will have holes.

What two new OSS security hardening and test practices and tools are being used effectively?

Edwards: Machine learning is becoming a real force in security. With machine learning, the technology can be used to look at millions of lines of source code, learn from previous security issues and find the patterns in your source code that may be security holes. It's just not feasible for a human to work with that amount of data and find patterns.

With machine learning, the technology can be used to look at millions of lines of source code ... and find the patterns in your source code that may be security holes.
Antony EdwardsCTO, Eggplant

Continuous security testing is critical. The big problem is security testing is treated as a one-off. People create a new application or website, and they do a one-off penetration test or security scan. Then they let a hundred developers -- some of them just out of college -- make source code changes, but they don't recheck. I think that continuous testing is getting a lot more attention now.

Is inadequate OSS security documentation common in enterprises?

Edwards: It will be getting better because of the cost of breaches. OSS projects often give credit and status to people who contribute code. Maybe they need to put more emphasis on people who provide other value, such as security audits and documentation.

Do you find that DevOps teams have accurate inventories of software dependencies used by different applications? If not, what risks are they running?

Edwards: Good software is organized in layers of security. So, you have a trusted computing base, in which all the code is trusted. You then have an admin layer that can do a bit more.

When you don't manage your dependencies, you can find that code that is supposed to be 'untrusted' can indirectly or even directly cause highly secure code to do something. This is called rights amplification in the security world and is a key problem. It's amazing how quickly bad software design can allow what seems like harmless code to get superuser access.

To reduce the risk, you need to have very well-defined interfaces between security levels. You need to constantly review these with static analysis tools. Also, do not let quick hacks from bad developers into secure code.

This was last published in May 2018

Dig Deeper on Software Security Test Best Practices

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What practices does your enterprise use to secure OSS?
Cancel
Nexus provides continuous "security testing" (analysis) of the open source in your applications/throughout your CI-CD and can provide remediation paths. 

Following the OWASP vuln list is not nearly enough.  

1) Firstly, implement a "Firewall" like solution (as noted by Gartner in their report "How to seamlessly integrate security into DevOps") to automatically enforce policy before your repo (see: Nexus Firewall)
2) Maintain a bill of materials of all open source/third party software within your application. (Gartner recommends in "10 things to get right for successful DevSecOps")
3) Automatically leverage that bill of materials against public/private vulnerability data forums for new vulnerabilities (see: Nexus Lifecycle)
4) Enable your developers to have a hygiene focus early in the SDLC!  (see: Nexus Lifecycle integrations into IDE)


Cancel
Hi Justin - Thank you for sharing those excellent best practices. I address some of the topics you discuss in an ezine article that will be published soon. I'm sure you saw the results of this recent DevSecOps survey, which mentions OSS security: https://searchsoftwarequality.techtarget.com/news/252439316/Failure-to-secure-open-source-code-spurs-DevSecOps-boom

Thanks again for your message.

Cancel

-ADS BY GOOGLE

SearchMicroservices

TheServerSide.com

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchHRSoftware

SearchHealthIT

DevOpsAgenda

Close