Open Source Vulnerabilities: How to Maintain Speed, Security
Speed is inherent to the DevOps process, while caution is a hallmark of security teams.
The battle between efficiency and safety isn’t new. But over the past decade, the conflict has been exacerbated by the explosion and proliferation of open source software (OSS), which typically makes up about 70% of an application’s code.
Since its inception during the 1990s, OSS has grown as a medium for the developer community to accelerate innovation through collaboration. But its popularity also has a downside. If not prioritized appropriately or safeguarded against, OSS vulnerabilities can be easily exploited by bad actors. In fact, recent events show the appetite for OSS exploitation has never been greater.
Contextualizing Today’s OSS Security Landscape
Snyk’s “State of Open Source Security 2019” report cited an 88% growth in application vulnerabilities over two years. What’s more, the median time from the creation of a vulnerability in an open source package until it was fixed was over 2 years. This lag in addressing the problem leaves ample time for bad actors to take advantage of vulnerabilities.
In its 2020 report, Snyk said its “researchers discovered a prototype pollution vulnerability in the extremely popular Lodash package. The vulnerability, CVE-2019-10744, affected all versions of the package at the time of discovery and as a result, its impact was very widespread resulting in a very high number of impacted projects.”
In September 2021, a developer disclosed a remote code execution (RCE) flaw in pac-resolver, an npm package used for proxy configuration, which is downloaded 3 million times a week. From there, attackers could easily use the vulnerability to hijack apps whenever they make a call to the web.
Marrying Speed and Security
These incidents underscore a fundamental need for organizations to better manage open source software vulnerabilities, particularly in two areas: prevention and blocking.
Prevention starts with solutions that can discover OSS vulnerabilities in web applications. For example, software composition analysis (SCA) tools run in pre-production enable users to analyze and manage the open source elements of their applications by automatically scanning and checking for policy and license compliance, security risks and version updates.
Dynamic application security tests (DAST), also run in pre-production, analyze running code, including the underlying application frameworks and servers. These require ample configuration and can take a long time to run.
In addition, runtime vulnerability assessment (RVA) is a new capability for optimal security of cloud native applications, which require an integrated, life-cycle security approach that begins in development and extends to runtime protection.
The unique characteristics of cloud native applications make them impossible to secure without overlapping tools spanning development and production, including SCA and DAST as well as RVA, which sits in production between pre-production tools and perimeter security tools such as web application firewalls (WAFs).
In the real world, prevention might play out in the following kind of scenario: Last year, a U.S. government health agency needed a COVID-19 tracking application fast, but it lacked the ability to create the technology in-house. After outsourcing the build to a third party, the agency tested the app for vulnerabilities using RVA.
The test immediately found approximately 100 security issues. These problems were turned over to the original developer to fix. Once secured, all stored personally identifiable information (PII) and healthcare information was protected from attack.
With the task of blocking, the two most popular capabilities are the web application firewall and runtime application self-protection (RASP). Of these, WAF is more commonplace today.
- WAF helps protect a web application against malicious HTTP traffic. A filtration barrier between the targeted server and the attacker allows protection against attacks such as cross-site forgery, cross-site scripting and SQL injection.
- RASP uses in-application instrumentation to detect and block attacks. RASP is a much newer technology than WAF and is deployed either through a software development kit (SDK) that a developer uses to integrate RASP directly into the code base or through an agent added to the host at runtime.
Observability to the Rescue
Commonly used to monitor the performance and reliability of cloud-based applications, observability platforms are being enhanced to include application security. This includes the two types of security mentioned above: preventing OSS vulnerabilities through RVA and blocking application attacks through RASP.
Given the increasing importance enterprises now place on speed and the increasing risks associated with OSS, this new approach might finally solve the age-old battle between speed and security.