Video: Sonar - Microsoft's new open-source tool to help web developers secure their sites
This week GitHub launched a new service to help developers ferret out and fix vulnerable dependencies in projects hosted on the code repository.
Equifax's recent breach, affecting 145 million US consumers and several hundred thousand Brits, was a prime example of what can happen when you fail to discover and patch a flaw in open-source software, which for Equifax was Apache Struts, a popular Java library.
While Equifax execs and its security team have been pilloried for its security deficiencies, the company's shortcomings are far from unique when it comes to out-of-date open-source libraries lurking in key business applications.
Following Equifax's disclosure in September, UK-based open-source vulnerability database operator Snyk scanned 1,000 open-source projects on GitHub and found 64 percent were still vulnerable to a severe remotely exploitable flaw, for which the Apache Foundation had provided patches in March. It was one of two flaws Equifax's attackers probably used to steal its database.
Snyk CEO and founder Guy Podjarny summed up the problem many developers face in securing open-source applications with lots of dependencies.
"When you use these open-source libraries, you're using crowd-sourced code and that has all sorts of security implications. It's like relying on Wikipedia for medical research. It's generally accurate and good, but not always good, and people don't track security risk," he told ZDNet.
The danger is heightened for known vulnerabilities. The recent WannaCry and NotPetya destructive malware outbreaks illustrated that many organizations allow publicly disclosed Windows flaws to linger in business-critical systems for months.
Microsoft released a patch for the infamous SMB flaw in March, yet WannaCry impacted over 300,000 PCs when it struck in June.
But at least major operating system vendors alert users and admins to the availability of updates. It's messier for applications that rely on dozens of shared libraries, many of which don't alert developers to a known problem.
Snyk's recent developer survey found that 16.3 percent don't update their dependencies and less than half used tools to alert them to known vulnerabilities.
The average Node.js application uses "hundreds sometimes thousands" of dependencies in its tree, while there are generally fewer in Ruby and Python, explains Podjarny.
"But frankly this is in pretty bad shape across the board."
The results are much worse than a study earlier this year that found 37 percent of 133,000 websites include at least one library with a known vulnerability.
"Developers are just not aware of this concern," said Podjarny. "That's why it's important to build visibility controls into regular workflows."
Previous and related coverage
The credit rating giant claims an Apache Struts security hole was the real cause of its security breach of 143 million records. ZDNet examines the claim.
GitHub's new service will help developers clean up vulnerable project dependencies.
Securing Linux policy [Tech Pro Research]
Linux powers web servers, database systems, development machines, and employee workstations. This policy offers guidelines for securing Linux on company computers and computers used to conduct company business.