(Trust Goal) Manage software vulnerabilities
One's code is as secure as its least secure part. Recent stories (e.g. heartbleed1, equifax2) have demonstrated the importance of checking vulnerabilities in parts of the code that are not directly developed by the entity. Consequences of vulnerabilities range from data leaks (with tremendous reputational impact), to ransomware attacks and business-threatening unavailability of services.
Open-Source software is known to have a better vulnerability management than proprietary software, mainly because:
- More eyes are looking to find and fix problems on open code and processes.
- Open source projects fix vulnerabilities and release patches and new versions a lot faster.
As an example, a study by WhiteSource on proprietary software showed that 95% of the vulnerabilities found in their open-source components had already released a fix at the time of the analysis. The issue therefore is to better manage vulnerabilities both in the code base and its dependencies, no matter if they are closed- or open-source.
In order to mitigate these risks, one has to setup an assessment program of its software assets, and a vulnerability-checking process executed regularly. Implement tools that alert impacted teams, manage known vulnerabilities, and prevent threats from software dependencies.
Any company that uses software has to watch its vulnerabilities in:
- its infrastructure (e.g. Cloud infrastructure, network infrastructure, data stores,...)
- its business applications (HR, CRM tools, internal and customers-related data management),
- its in-house code: e.g. the company's website, internal development projects, etc, and
- all direct and indirect software and services dependencies.
The RoI of vulnerabilities is little known until something bad happens. One has to consider the consequences of a major data breach or unavailability of services to estimate the true cost of vulnerabilities.
Similarly, a culture of secrecy and hiding for security-related issues inside the company has to be avoided at all costs. Information about the state of vulnerability needs to be shared and discussed to find the best answers from the right people, from developers to c-level executives.
The benefits of preventing cyber-attacks by carefully managing software vulnerabilities are manyfold:
- Avoid reputational risks
- Avoid exploitation loss (DDoS, Ransomware, Time to rebuild an alternative IT system after an attack)
- Comply with data protection regulations
Managing OSS software vulnerabilities is just a part of the larger cybersecurity process that globally addresses the security of the systems and services in the organization.
There should be a dedicated person or team to monitor vulnerabilities, and easy-to-use processes for developers to rely on. Vulnerabilities assessment should be a standard part of the continuation integration process, and people should be able to monitor the current state of risk in a dedicated dashboard.
- Activity is covered when all in-house software and services have been assessed and are monitored for known vulnerabilities.
- Activity is covered when a dedicated tool and process is implemented in the software production chain to prevent introduction of issues in the daily development routines.
- GitHub tools
- Eclipse Steady is a free, open-source tool that analyses Java and Python projects for vulnerabilities and help developers mitigate them.
- OWASP dependency-check: an open-source vulnerability scanner.
- OSS Review Toolkit: an open-source vulnerability scanner.
Hints and best practices. Collected from GGI participants.
Add recommendations here
- The MITRE's vulnerability database of CVEs. See also NIST's security database of NVDs, and satellite resources like CVE Details.
- Check also this new initiative from Google: the Open-Source Vulnerabilities.
- The OWASP working group publishes a list of vulnerabilities scanners on their website, both form the commercial and open-sources worlds.
- J. Williams and A. Dabirsiaghi. The unfortunate reality of insecure libraries, 2012.
- Detection, assessment and mitigation of vulnerabilities in open source dependencies, Serena Elisa Ponta, Henrik Plate & Antonino Sabetta, Empirical Software Engineering volume 25, pages3175–3215(2020).
- A Manually-Curated Dataset of Fixes to Vulnerabilities of Open-Source Software, Serena E. Ponta, Henrik Plate, Antonino Sabetta, Michele Bezzi, Cédric Dangremont. There is also a toolkit in development to implement the aforementioned dataset.