How to Minimize Risks with Open-source Solutions

Many organizations in various industries across the globe have invested in open-source solutions to reduce costs. These solutions are also attractive to commercial vendors since the use of open-source components reduces development costs and improve the time to market. These situations have resulted in approximately 3 in 4 organizations adopting open-source solutions.

As a result of the ubiquity of open-source solutions, [1] they have become attractive targets for cybercriminals who continue to find new ways to taunt and terrorize organizations and end-users.

Based on the 2017 Trustwave Report[2], in 2015 and 2016 researchers discovered significant vulnerabilities in Zen Cart and Joomla, two of the most commonly used open-source web applications. For instance, a zero-day vulnerability was found in versions of Joomla (1.5 to 3.4). This allows an attacker to perform an object-injection attack against the Joomla database, leading to remote-command execution[3]. Although this and other vulnerabilities were successfully patched, there have been other security risks associated with these popular applications. Further, security flaws have been identified in several other open-source applications, such as:

• The security flaws in Apache Struts. According to several reports, Equifax claimed that a security hole in Apache Struts, an open-source web application framework for developing Java applications, caused their recent$143 million security breach. Although the veracity of this standpoint has been debated, other security flaws have been identified in Apache Struts. This include December 2017 reports that the CVE-2017-5638 vulnerability was exploited to mine the Monero cryptocurrency[4], the same flaw attributable to the Equifax breach.
• The Heartbleed bug, a security flaw in Open SSL, an open source code library that implements the Transport Layer Security (TLS) and Secure Socket Layer (SSL) protocols, allows attackers to[5]:
  
  • Eavesdrop on communications;
  • Steal data directly from the services and users; and
  • To impersonate services and users.

While the debate ensues on whether open-source applications are more vulnerable than proprietary software, the harsh reality tells a story. Significant risks exist in various open-source solutions and this reality requires the attention of both vendor and end-user organizations. In 2016 for example, 3,623 new open-source component vulnerabilities were reported, which averages close to 10 vulnerabilities per day, according to an open-source security study[6]. Given the threat landscape, a similar pattern is likely for 2017 and 2018.

Given the above figures, organizations should adopt a proactive risk management posture in identifying and eliminating the vulnerabilities in open-source solutions. Accordingly, sound security controls and practices are crucial to minimize the risks to an organization data and information assets. These may include:

• Increasing the level of awareness of open-source solutions and their potential risks;
• Developing sound knowledge among the IT and security team of the components and applications beings used by the organization;
• Identifying the known security vulnerabilities by regularly conducting application security assessment;
• Undertaking regular patch management procedures; and
• Actively monitoring the environment for new threats.

Wilson Consulting Group (WCG) offers a comprehensive application security assessment service that evaluates applications to identify vulnerabilities to minimize the risk of information leakage and cyberattacks.  This service also assesses whether the application behaves and interacts securely with its users, databases, and other applications.

Additionally, we offer a comprehensive suite of services, including support in cybersecurity training and development, cybersecurity policy development and risk assessment services.

WCG continues to work with organizations in various industries to identify the vulnerabilities in their infrastructure, and determine the best security solutions that best suit their environment.

[1]S.J. Vaughan-Nichols, Its an open-source world: 78 percent of companies run open-source software, www.zdnet.com

[2]2017 Trustwave Global Security Report

[3]2017 Trustwave Global Security Report

[4]S. M. Kerner, How the Zealot Attack Uses Apache Struts Flaw to Mine Cryptocurrency, www.eweek.com

[5]www.heartbleed.com

[6]2017 Open Source Security & Risk Analysis Black Duck Software.