Open source's big weak spot? Flawed libraries lurking in key apps

To avoid becoming the next Equifax, it could be a good idea to scan your apps for vulnerable open-source libraries.
Written by Liam Tung, Contributing Writer on

Video: Sonar - Microsoft's new open-source tool to help web developers secure their sites

This week GitHub launched a new service to help developers ferret out and fix vulnerable dependencies in projects hosted on the code repository.

The service could be a major improvement for developers who don't, for a variety of reasons, stay abreast of known flaws in popular libraries for Ruby, JavaScript, and Java applications.

Equifax's recent breach, affecting 145 million US consumers and several hundred thousand Brits, was a prime example of what can happen when you fail to discover and patch a flaw in open-source software, which for Equifax was Apache Struts, a popular Java library.

While Equifax execs and its security team have been pilloried for its security deficiencies, the company's shortcomings are far from unique when it comes to out-of-date open-source libraries lurking in key business applications.

Following Equifax's disclosure in September, UK-based open-source vulnerability database operator Snyk scanned 1,000 open-source projects on GitHub and found 64 percent were still vulnerable to a severe remotely exploitable flaw, for which the Apache Foundation had provided patches in March. It was one of two flaws Equifax's attackers probably used to steal its database.

Snyk CEO and founder Guy Podjarny summed up the problem many developers face in securing open-source applications with lots of dependencies.

"When you use these open-source libraries, you're using crowd-sourced code and that has all sorts of security implications. It's like relying on Wikipedia for medical research. It's generally accurate and good, but not always good, and people don't track security risk," he told ZDNet.

The danger is heightened for known vulnerabilities. The recent WannaCry and NotPetya destructive malware outbreaks illustrated that many organizations allow publicly disclosed Windows flaws to linger in business-critical systems for months.

Microsoft released a patch for the infamous SMB flaw in March, yet WannaCry impacted over 300,000 PCs when it struck in June.

But at least major operating system vendors alert users and admins to the availability of updates. It's messier for applications that rely on dozens of shared libraries, many of which don't alert developers to a known problem.

Snyk's recent developer survey found that 16.3 percent don't update their dependencies and less than half used tools to alert them to known vulnerabilities.

GitHub's new security alerts could help in this respect. Snyk is assisting GitHub with the scan for known open-source vulnerabilities, which initially focuses on JavaScript and Ruby and will include Python next year. GitHub will also provide suggested fixes from its developer community.

Microsoft's new project Sonar and Google's tools in Chrome Lighthouse also use Snyk's database to help web developers spot and patch known flaws in JavaScript libraries as part of a broader audit for website performance issues.

The challenge for developers in JavaScript and popular JavaScript runtimes, such as Node.js, is exacerbated by the sheer number of dependencies used.

The average Node.js application uses "hundreds sometimes thousands" of dependencies in its tree, while there are generally fewer in Ruby and Python, explains Podjarny.

"JavaScript specifically is a bit more susceptible, especially on the front end, because of no prompts and the prevalent use of third-party services. So you're pulling into your page JavaScript from myriad JavaScript sources, from like 20 to 30 domains, and each of those might introduce a vulnerable library into your codebase," said Podjarny.

"But frankly this is in pretty bad shape across the board."

Thanks to Snyk's integration with Chrome's Lighthouse, the company now has a clearer picture of how big the JavaScript dependency mess is. The Internet Archive's HTTP Archive started tracking this figure in October and will report changes over time.

A previous scan by Snyk looked at the top 5,000 URLs on Alexa, but the latest scan covered over 400,000 URLs through Google's BigQuery found that 77 percent contained at least one vulnerable client-site JavaScript library.

The results are much worse than a study earlier this year that found 37 percent of 133,000 websites include at least one library with a known vulnerability.

"Developers are just not aware of this concern," said Podjarny. "That's why it's important to build visibility controls into regular workflows."


Snyk CEO Guy Podjarny:"When you use these open-source libraries, you're using crowd-sourced code and that has all sorts of security implications."

Image: CNET

Previous and related coverage

Equifax blames open-source software for its record-breaking security breach: Report

The credit rating giant claims an Apache Struts security hole was the real cause of its security breach of 143 million records. ZDNet examines the claim.

GitHub to devs: Now you'll get security alerts on flaws in popular software libraries

GitHub's new service will help developers clean up vulnerable project dependencies.

Securing Linux policy [Tech Pro Research]

Linux powers web servers, database systems, development machines, and employee workstations. This policy offers guidelines for securing Linux on company computers and computers used to conduct company business.

Read more about open source and security

Editorial standards