In recent years, there has been a rapid increase in the adoption of open-source frameworks by organizations of all sizes. At the same time, the statistics around the vulnerabilities in open-source frameworks have got security admins to rethink the adoption of such open-source frameworks. To counter these attacks, enterprises are turning to modern security practices like DevSecOps. Further, enterprises are operationalizing these practices using solutions based on deception technology.
Risks of bugs & vulnerabilities with open source
There have been numerous discoveries of critical vulnerabilities in the popular open-source frameworks that are widely used. Heartbleed (tracked as CVE-2014-0160), the critical security vulnerability in the OpenSSL 1.01, was discovered in 2014, which impacted almost two-thirds of all the secured websites at that time. Though this bug was found in 2014, there were still more than 200,0000 un-patched servers present worldwide till 2017, exposing them to attack. Similarly, the ShellShock bug (tracked as CVE-2014-6271) existed in the Bash shell of Unix, Linux, and Mac servers for more than two decades, before it was discovered. And such vulnerabilities, when exploited by hackers, can have an adverse impact on organizations of any size.
The infamous security breach of Equifax, which had impacted more than 143 million records of Tax-paying Americans, is one example of what bugs in open-source systems can do to any organization. The company statements revealed that a bug (suspected to be CVE-2017-9805 or CVE-2017-5638) in the open-source server framework Apache Struts was one key reason behind the record-breaking security breach.
The vendor had already patched the vulnerabilities in March 2017, but hackers exploited the bug two months later, between May-July 2017, to gain access to Equifax servers. Delays in patching the open-source vulnerability eventually resulted in a fine of over $700 million for Equifax.
Unfortunately, Equifax is not the only one using such open-source frameworks. Apache Struts is estimated to be used by around 65% of the Fortune 100 companies (Office Depot, Citigroup, Virgin Atlantic, Vodafone, and Lockheed Martin to name a few). There have been several other incidents where hackers have exploited bugs in open-source technologies to gain a foothold inside an organization and then fulfill their malicious intent.
The right approach towards open-source
The right approach towards the open-source frameworks is not avoiding them altogether, but to develop a system that can prevent the occurrence of such incidents by proactively finding and patching bugs before hackers exploit them. One good way of doing this is continuously following vendor websites to keep track of any updates, and applying the patches as when they are released. And this works well for popular products by renowned vendors. For instance, Red Hat Linux is known for fixing more than 65% of vulnerabilities within one day of public disclosure, and they fix around 90% within 14 days. However, this is not true for all open-source application vendors. An estimate suggests that only 25% of open-source vendors notify their users of vulnerabilities, and just 10% of them indulge in additional activities like filing a CVE. And when there are several third-party open-source applications involved in any application, it could be tough to keep up with all the updates from all such vendors on an immediate basis.
Issues with open-source dependencies
Besides the core application, open-source developers often have an affection towards various ready-to-use open-source packages (called dependencies), as it gives them control over the entire source code, as well as ease of availability and deployment. But this also increases the possible attack surface for the entire application. For instance, for any mid-sized application using ten open-source dependencies, attackers get ten opportunities across the entire application for which they would have the entire source available with them, and which they could try to infiltrate. The overall risk increases with the involvement of a large number of third-party vendors of all sizes. For instance, a vulnerability in a small third-party component like ‘Comments social plugin’ can take down the security of the entire e-commerce platform.
GitHub, the largest open-source repository, does help developers track vulnerabilities in their open-source projects and dependencies. It provides vulnerability tracking and dependency management for hosted projects. When any security alert is raised, GitHub identifies all the public and private repositories that use the affected version of the dependency, and sends security alerts to the concerned people, suggesting they fix the issue at earliest. Though this provides some level of automation, it remains restricted to the projects hosted on GitHub, and its effectiveness is limited to the configuration of alerts (weekly, daily, etc.), and how responsive each repository owner is.
According to the 2018 report commissioned by Synopsys, the biggest challenge faced by the organizations regarding application security testing in the continuous integration/continuous delivery (CI/CD) workflows is a lack of automated, integrated security testing tools. In such scenarios, you cannot rely on the notifications from the vendors or external agencies, but to adopt a proactive approach to counter any threats. All this points to the need for a solution that automatically scans for vulnerabilities in open-source applications across an organization and proactively reports and takes action on these vulnerabilities. Deception technology is that solution.
How can deception technology help?
Deception technology provides ways to boost the cybersecurity of an organization by providing additional layers of security (like the use of decoys), as well as proactive ways of defending against known and unknown threats. It works by developing several decoys or traps that mimics the genuine network elements of an organization. When any adversary hits any decoy, notifications are broadcast to the centralized server, along with all the useful information that can help track and contain the breach. Tools and products that are based on this technology can also identify and analyze the zero-day and other advanced attacks in real-time, which can not be tackled using traditional security products.
Benefits of using Deception technology
Using deceptive technology can help organizations defend against advanced and unknown threats proactively.
The invisible cloak of security
The decoy infrastructure acts as an invisible layer of security, which can turn the tables on attackers. By breaching the decoy’s network elements, they would be under the belief that they have gained access to the internal environment will take next steps that would reveal their intentions. At the same time, you get accurate alerts in real-time, through which you can keep an eye on their every move, gathering all possible information about their tactics, techniques, and procedures (TTPs), which can be further used to secure your environment by taking timely actions.
Reduced risks and efforts
The decoy elements of security produce real-time alerts along with rich and sufficient forensic data for detailed analysis. Such data can help filter out false positives, allowing security admins to save their time and efforts to focus on the actual problem.
Vertical and horizontal scalability
Automated alerts can help you eliminate the manual efforts required in operational tasks, enabling you to increase the levels of security across a wider periphery of the network. Deception technology can also provide breadcrumbs across a wide range of devices, including modern IoT devices as well as a legacy environment across the organization.
Practical implementation - DevSecOps for open source
DevSecOps provides a way to operationalize deception technology for open-source software. DevSecOps helps attain built-in security across the entire DevOps supply chain, starting from requirement analysis to coding, to deployment and then continuous monitoring of the applications. Introducing security at the early stages of DevOps lifecycle can help minimize the vulnerable surfaces exposed to the outside world.
To begin with, you can consider using automated vulnerability scanning tools across various stages of the continuous integration and continuous delivery (CI/CD) process. There are several tools available for monitoring security and compliance, which can integrate with the cloud-based agile DevOps methodologies, and keep up with the fast release cycles. This can help to ensure application security along with rapid application development and stable release cycles. Static Application Security Testing (SAST) also provides several methodologies, like Source Code Analysis (SCA), which can be integrated directly into the development environment, and help scan for any loopholes and find vulnerabilities in the proprietary code at various stages, like in daily scrum meetings. This ensures early detection and remediation of vulnerabilities.
Using open-source frameworks and components involves a huge risk of exposure, but still, the current positive trends about open-source frameworks provide hints about where the future is headed. To endure the challenges of open-source frameworks, you need to adopt DevSecOps. The method of integrating security should be seamless and agile to withstand the dynamic DevOps cycles without breaking it. The selection of the right set of tools for automated open-source management can help in controlling the associated risks. Deception technologies are very useful in taking proactive, counter-measures against attackers. They are key to realizing the full benefits of open source tools and avoiding the associated risks.