Contact Us

Tag: security

What are Open Source Security Challenges and How to Avoid them?

Posted on by Pavel Tantsiura
In this issue:

 The use of open-source software is a common way of web/mobile application development that benefits both the companies and the broader development community. It is one of the driving forces of technological progress. However, the openness it provides also brings its own set of challenges you need to be aware of. 

In this article, we will explain the significant challenges of applying open-source software and the ways of avoiding them.

What are open-source security risks?

Exploits in software applications are a natural occurrence both in open source and proprietary products. These exploits present possibilities for a hacker to shake things a little and compromise the security of the system.

These things can range from mistakes and oversights in the code to full-blown backdoors used to monitor and test applications (NSA loves that stuff). 

While proprietary products are relatively safe and under wraps, open-source software is under threat. 

You might think, “if things are so rough – then why bother using open source software at all?”. Here’s why.

In one way or another, software development revolves around open source products. Some companies don’t even understand how many different open-source tools constitute their products. 

The list includes: 

  • Code libraries (NLTK)
  • Operating systems (Linux)
  • Various software applications for different use cases (performance testing tools, DLP, development frameworks, etc.)

According to a study by Synopsys, up to 96% of commercial software applications contain elements from open source in their structure. 

Why is it so? There are three reasons:

  • Cost-effectiveness – there is no point in reinventing the wheel when it comes to software development. Making your own tools for a project can take a significant chunk of time. There many different libraries and tools available in open-source that can handle the majority of development needs.
  • Flexibility – the variety of open-source tools provide enough room to figure out the best possible configuration for the project.
  • Speed – working with already existing tools saves time for mastering the tools and testing the possibilities, and instead, lets the team focus on the development process entirely.

The most common results of taking advantage of exploits are security threats like Data breaches and Denial of Service attacks. 

  • Data breach – when sensitive information is accessible to an unauthorized third party
  • DoS – when the service is shut down, overloaded or otherwise impossible to use correctly.

Open Source Security Risks to Be Aware Of

Exploits are out in the open

One of the prerequisite features of an open-source project is that its code is available to the public. The availability of the code is one of the major driving forces for the rapid evolution of an open-source project. Any member of the community can contribute in some way, including identifying emerging vulnerabilities before others can exploit them maliciously. Hackers can do that. Given the fact that open-source tools may serve as a backbone for the product – this nuance creates a significant concern.

The handling of the open-source security risks is more or less a question of time. Either you get there first, and update the code, or this will be a cybercriminal who will gladly mess with the system.

National Institute of Standards and Technology (NIST) maintains the National Vulnerability Database (NVD) that keeps the developer’s community on the same page regarding the state of security in various applications.  The database includes all reported exploits found across multiple software applications. As such, it is a community’s way of keeping threats under control. NVD is an excellent source of information.

It is important to note that among the people who like to surf it is hackers. They tend to take note of the exploits, especially those that are yet to be fixed by the project development.

The most prominent example of taking advantage of an open-source exploit is the 2017 Equifax hack. The hackers found out that the system was using a version of the Apache Struts framework with several reported and unfixed exploits. This discovery led to one of the most significant reported data breaches. 

Possible infringement risks

The thing with open-source as a concept is that:

  • it is a contribution to the community first; 
  • the product second. 

Because of its free-for-all status, open-source does not operate under standard commercial regulations. 

This vagueness creates an underlying issue as open-source tools may contain elements of the proprietary code, i.e., somebody else’s intellectual property. 

On its own, this is not an issue in the open-source product itself. It becomes an issue when the open-source applications, with the unregulated segments of the proprietary code, are used in the development of the commercial product

One of the most prominent recent infringement cases is IBM v. SCO Group. Here’s what happened: in 2001, IBM had released an operating system called “Project Monterey.” It contained elements of UNIX System V code owned by SCO Group under a standard license agreement. At the same time, IBM had contributed sections of the Project Monterey with elements of UNIX System V code to the Linux kernel. 

This led to a long-running lawsuit from the SCO Group. The company claims that the alleged presence of the proprietary code in the open-source was a case of misappropriation of trade secrets that: 

  • devalued their product; 
  • caused unfair competition; 
  • ultimately led to the company’s bankruptcy. 

As a result, they sought billions in compensation. 

That’s an extreme case, but it is a good illustration of possible consequences. How to avoid this kind of situation? 

  • Proper due diligence of the open-source tools is the best way of keeping things under control. 
  • Supply chain component analytical tools like DependencyTrack can automate the majority of the routine and let you react swiftly to any possible problems. 

Managing Licenses

The other issue that emerges from a lack of commercial regulations of the open-source software is the license conundrum.

Here’s why. The development of proprietary software often involves numerous open-source elements – libraries, frameworks, tools, etc. These elements are released under different license types (for example, Apache license for data processing frameworks) with distinct compliance requirements. 

As a result, the proprietary application gets entangled in the net of different licenses, all of which need full compliance. Non-compliance puts the company at risk of legal action, which is damaging for reputation and financial resources. 

An excellent example of the consequences of open-source license non-compliance is the recent case of Panasonic Avionics Corporation v. CoKinetic Systems Corporation

  • CoKinetic claims that Panasonic had intentionally ignored the General Public License to hold back the competition.
  • The thing is – Panasonic in-flight hardware uses a Linux-based operating system, which adheres to GNU General Public License. 
  • One of the requirements of this license says if the GPL-licensed tool is used to develop a piece of software, this application requires a release in open-source under the same license. 
  • Panasonic hadn’t done that, and from the perspective of CoKinetic, it blocked the competition and monopolized the market. 

The lawsuit is nowhere near protecting community standards. In reality, it is messing with the competition, as a kind of attempt to disrupt the workflow and damage the credibility of the company.

How to avoid this issue from happening?

  • License tracking is a dubious routine that requires transparency and caution. 
  • You need an excellent DevOps engineer to handle it and keep it intact. 
  • The primary tool to keep open-source licenses under control is software composition analysis apps like Blackduck, SourceClear, and WhiteSource. 

This combination provides a full view of the software components used in the application and allows you to manage any emerging licensing issues with relative ease.

Operational Inefficiency

Operational inefficiency is one of the biggest technical challenges that come with open-source software. 

The chain of events is as follows: 

  • you are using a version of a program for some purpose; 
  • someone reports on the new exploit; 
  • the latest update is pending. 
  • the emergence of an exploit creates a security risk, and you need to react swiftly.

Here’s where the challenge comes. 

There are higher priorities to take care of when it comes to software development. You need to get the thing working, optimize it all the way through, fix bugs, and handle glitches. Things like open-source software updates, and emerging security risks, usually slip away in the heat of the moment for the sake of more important things. 

That’s how the Equifax leak became reality.

How to avoid this problem? 

  • Provide transparency of the development inventory to keep the team on the same page regarding the state of the toolkit.
  • Use software composition tools to streamline the management process and implementation of updates.
  • In case of abandoned or infrequently updated open-source tools (which happens all the time), the developers need to fix the issue on their own. 

Faulty code copy-pasting 

The development process consists of routine operations. Code copy-pasting is one of them. While it is a standard operation on its own, it is what is copied and pasted that can create a significant security threat. 

The thing – developers often copy-paste the code directly from open-source libraries. As was previously mentioned, there is a chance of having an exploit inside a copied code. That is one part of the problem.

The other part of the problem is that once the code snippet is in the codebase – it is a part of an application. It is hard to update that particular snippet, and remove the exploit after the fact, without disrupting the workflow. In other words, it is like shooting yourself in the foot.

The solution to this problem is simple. 

  • You need to forbid any direct copy-pasting from open-source repositories and insist on mandatory code reviews before implementation. 

What’s next?

These are all of the significant open source security challenges you need to be aware of to avoid getting into trouble.

These days the issue of transparency and trust between the company and the user is at its peak. If the company wants to establish their product as trustworthy in the eyes of the user – the use of open source security is one of the surefire ways of showing that. 

On the other hand, going open source paves the way for the further evolution of the product – the refinement of existing features, fixes of flaws, and addition of new elements.

The Best Practices for Cloud Security You Can Choose from

Posted on by Pavel Tantsiura
In this issue:

Ever since the great discovery of the Internet, the world has never been the same. A lot of technology has made available due to this single discovery, with the most recent one being the cloud. Cloud technology has aided some business transaction and entertainment opportunities thanks to the dynamic cloud computing strategies and the numerous file-sharing opportunities. However, security in the cloud remains one of the major concerns businesses and organizations have to face at one point in time.

The idea of running your business operations and storing data on a virtual network that you have little control of is not only economical but also manageable. However, this is not the case. According to last year’s statistics on cloud security, CloudPassage found out that cloud security is still the number one concern in this industry. According to the research findings, at least 53% of the individuals interviewed noted that “general security risks” is the number one impeding factor for adopting cloud technologies. 91% percent of those surveyed were either “very concerned” or “averagely concerned” about this technology.

From the above observation, it is evident that cloud security is a pain to most businesses and organizations. Therefore, to ensure that everything runs smoothly, business CEOs and CTOs are advised to adopt best practices for cloud security in their business. The following article seeks to explain why this is important and also educate all stakeholders on the best cloud security strategies to adopt in 2017.

Why is the security of cloud computing so important to business?

Currently, at least 90% of businesses have taken their businesses to the cloud. While this number is slightly higher for large- and medium-scale businesses compared to the small business enterprise, the benefits of cloud computing are equally important to both divides if the security of cloud computing is guaranteed. The following are some of these benefits:

Helps your business reduce IT costs

Most businesses are moving their operations to the cloud to reduce the huge costs associated with running a business. Move your operations to the cloud only if you have invested in the latest cloud security models. Thanks to the secure cloud computing services, you can save money by:

  • Reducing the wages of staff as you will employ fewer IT experts compared to the manual system
  • Minimizing your energy expenses as you will use fewer computers as storage systems
  • Reducing operational time lags in your systems
  • Reducing the frequency of upgrading your IT systems

Scalability

One of the main objectives of the business is to grow and increase both in size and in operations. Thanks to cloud computing, businesses can achieve this with much ease. A secure cloud hosting platform means that your business can adjust to its growth thus helping it save money, time and other resources that could have been spent on improving the manual IT systems.

Promotes flexibility

A secure cloud computing service means that you can work from anywhere and at any time. Thanks to cloud technologies, data is stored online and can be accessed from any place using any device. Cloud database security, on the other hand, guarantees that the data you are storing online is always secure and cannot be corrupted or interfered with at any time.

Download Free E-book with DevOps Checklist

Download Now

The best cloud security practices to adopt

Cloud technologies are rapidly changing nowadays. Due to the rapid changes in technologies and the numerous cloud computing vulnerabilities, businesses are left with no option but to improve their cloud security strategies as well. The following are some of the practices you will find handy in 2017.

Understand your model

When planning cloud security, this is one of the most important factors to consider. Arguably, security in the cloud is a shared responsibility that both the business owner and the service provider need to pay attention to.

Different individuals define cloud computing technology differently. The following diagram is a representation of how you need to approach your computing security issues as explained by Platform as a Service (PaaS), Infrastructure as a Service (IaaS), Microsoft Azure, and Amazon Web Services (AWS).

Cloud Security Best Practices

Data encryption

Data encryption is one of the most recent security features for cloud computing you will come across in 2017. With the many instant messaging applications that exist in the market today, your data might not be safe. Make use of the latest encryptions and encrypt your data while in storage and also during transit.

Carry out audit and test your strategy

When considering cloud computing and information security, you need to know that even the most robust strategy is highly vulnerable to the ever-evolving hackers. Therefore, once you have chosen the most suitable security of cloud computing, you will need to check and ensure that you are duly covered. Test your strategy and then stop at the strategy that offers you maximum protection.

With the direction most businesses are taking towards cloud computing, it is undeniably true to say that cloud technology is the future of business. While this is true, threats from different angles are continually causing a challenge to most businesses. To be able to enjoy the numerous benefits of cloud computing, cloud security is key.

Want to receive reading suggestions once a month?

Subscribe to our newsletters