Most, if not every piece of code in production environments has dependencies. Instead of “reinventing the wheel”, developers use existing libraries to implement common functionality.
This is considered best practice since standard libraries are often well implemented. However, reused code can also come from less-trusted sources. With open source repositories like Github, anyone can create a library for a given function that someone can download and integrate into their product. While this creates opportunities for innovation, it can also create security issues. Many of these open source projects do not undergo formal code review or security testing.
As a result, the applications using these libraries may be acquiring new vulnerabilities through their dependencies. Protecting against these types of threats requires individualized and specialized security monitoring, like that provided by runtime application self protection (RASP) solutions.
The Value of Open Source Code
The argument between the virtues of open source and closed source is ongoing. While both definitely have their benefits and their liabilities, the wide availability of open source code is a valuable component of any organization’s ability to rapidly develop and deploy code.
One of the main advantages of open source libraries is efficiency. Many of the most commonly used libraries implement specialized functionality that is widely used. Often, this functionality is very difficult and time-consuming to implement correctly, so a high-quality library implementing the functionality and exposing it via easily-understood functions is extremely valuable.
Open source code is also widely considered to have significant security benefits. With closed source code, the user needs to trust that the developer performed the appropriate functionality and security tests and corrected any issues. Open source code allows the user to review the code before incorporating it into a project and exposes the source code to analysis by more researchers and tools, increasing the probability that errors will be identified and corrected.
The benefits of open source code and the lack of associated fees and licensing agreements have caused a number of development teams to incorporate it into their products. However, failing to do so in a secure manner can cause vulnerabilities to be inherited from insecure components.
The Challenge of Open Source Security
While some open source code is high-quality and has undergone significant security testing, the same is not true of all of it. The nature of code sharing sites like Github mean that anyone can upload code, and there is no guarantee that appropriate security testing has been performed. While some information about the quality of the project can be extracted through analysis of the documentation and other features, there is no guarantee that a professional-looking project is secure or vice versa. As the size of organizations’ code bases grow, the complexity of security grows with it. Each dependency incorporated into a project requires comprehensive analysis at the beginning to ensure functionality and security and then analysis and application of all updates in order to be secure.
In many cases, the complexity and overhead of this analysis drives development teams not to perform any analysis at all. 40% of respondents to a DevOps survey state that they do not perform any software composition analysis (SCA), where the team attempts to identify potential vulnerabilities in their product caused by insecure dependencies.
This lack of supply chain analysis leaves an organization’s products open to attack. In 2018, 10% of the open source components that were downloaded for use in other projects had known vulnerabilities. The lack of any SCA testing by many development teams means that it is highly unlikely that these issues were identified and remediated before the components were incorporated into a product and released into production.
Addressing the Supply Chain Security Challenge
The growing complexity of the cybersecurity threat landscape makes managing the exposure of an organization’s applications a significant challenge. Each year, tens of thousands of new vulnerabilities are discovered in production software. Remaining secure requires identifying any places where the vulnerable software may be in use within the organization and applying a patch if one is available.
With the growing number of dependencies included in each application, the complexity of this analysis is increasing rapidly. The lack of formal review processes for open source code included in a product means that an organization may not even be aware that their application depends on certain software and if that software has known and exploitable vulnerabilities.
The failure to perform SCA testing by many DevOps teams demonstrates that unscalability of traditional approaches to vulnerability management. As projects become more complex and dependent on more external components, the development team is unable to keep up with proper analysis and testing of all dependencies.
A specialized threat detection and protection solution like RASP is necessary to ensure that applications cannot be exploited even if they incorporate insecure components within their supply chain. RASP provides individualized protection to an application by sitting between it and external components and monitoring the application’s inputs, outputs, and behaviors.
Based upon this in-depth analysis of the application’s actions and on machine learning models of normal behavior, the RASP solution is capable of identifying and blocking even zero-day attacks based upon their impact on the application. If an application cannot trust even its own internal dependencies and components, it needs the level of granular protection provided by a RASP solution to help ensure both its security and that of the sensitive data that it processes.