Plaintext: Securing Open Source Software

Welcome to Dark Reading in Plaintext, where each day we bring you insights around one topic important to cybersecurity professionals. Today, we talk about vulnerabilities in open source software and securing the ecosystem. Enjoying the newsletter? Share with a friend! Want to read the newsletter in your inbox? Subscribe to get it delivered to you every day.

Vulnerable vs Attackable

One of the things security defenders have to think about when prioritizing which vulnerabilities to fix is whether the flaw will actually be exploited. ShiftLeft's 2022 AppSec Progress Report finds that only about 3% of vulnerabilities in open source components and libraries are actually "attackable." AppSec and software development teams can be more effective at sifting through vulnerability reports if they focus on the ones that attackers can reach. One way to do that is to consider factors like whether the package that contains the CVE is loaded by the application, whether it is in use by the application, whether the package is in an attacker-controlled path, and whether it is reachable via data flows. [Read more: Only 3% of Open Source Software Bugs Are Actually Attackable]

In essence, it means taking a simplified threat modeling approach to open source vulnerabilities, with the goal of drastically cutting down on the fire drills.

Cisco's Kenna Security and Cyentia Institute have been doing some intriguing work around the question of vulnerability prioritization and likelihood of being exploited.

Case of Log4j: CISOs and security teams scrambled earlier this year to determine whether they had software containing the vulnerable Log4j dependency. ShiftLeft's report noted that 96% of vulnerable Log4J dependencies were not attackable.

Consider This About Open Source Security: The reality is that whether it's proprietary code or open source code, software will inevitably have vulnerabilities. The advantage of using open source software is that you don't wind up creating bugs that are unique to your code base, said GitHub's Justin Hutchings. [Read more: The Truth About Vulnerabilities in Open Source Code]

"Open source code isn't intrinsically more secure; it is more securable. If [companies] write less custom code, there's a smaller chance that they'll introduce novel security issues." --Justin Hutchings, GitHub

Having a Policy Pays Off: Open source software offers significant benefits for application development, but open source governance is a must. Knowing what components are being used is a critical part of understanding the environment. Assessing whether the component is actually a problem for the organization is a threat modeling exercise that comes after. Seven out of 10 companies that have an OSS security policy in place consider their application development to be highly or somewhat secure, according to a recent survey by the Linux Foundation and Snyk.

Did You Know About...? Google's Assured Open Source Software service allows developers to use open source components that have been vetted and patched for security issues by Google's developers. The service provides versions of popular open source packages that are scanned frequently, augmented by metadata created by code analysis, and are signed by Google. "We wanted to show that it is important to actually do the provenance, do the metadata, do the scanning, do the fuzzing, build it from source — and sign it," according to Google Cloud's Eric Brewer. [Read more: Google Cloud Aims to Share Its Vetted Open Source Ecosystem]

"The idea of having curated version is not new per se, but it is just more important than ever." --Eric Brewer, Google Cloud.

Headlines on Tap

• Shadow IT is a problem. Did you know 1 in 3 cyberattacks are the result of Shadow IT?
• For government agencies, synthetic identity fraud is a particularly thorny challenge.
• Organizations with public-facing VMware Horizon and Unified Access Gateway (UAG) servers without Log4j updates should assume they're compromised, CISA warns.

Subscribe to get the latest headlines delivered to you each morning with Dark Reading Daily.

On That Note 

Image Source: AbsolutVision @freegraphictoday via Unsplash

We are batting around possible topics for our next "Seen and Heard" LinkedIn Live event and would like to open up the floor to suggestions. Leave us a comment on the newsletter, in the LinkedIn group, or through one of our other social media channels.

Ideas include (but not limited to!)

• What to expect for Black Hat USA.
• Cool research we've seen and heard so far in 2022.
• Reactions to big news of the week.
• Spotlighting people's career journeys.
• Lessons learned from startup founders. .

We hope to have the next one in mid-July, which actually isn't all that far away. Let us know what you would like to see!