Slashdot Mirror
The Percentage of Open Source Code in Proprietary Apps is Rising (helpnetsecurity.com)
Zeljka Zorz, writing for Help Net Security: The number of open source components in the codebase of proprietary applications keeps rising and with it the risk of those apps being compromised by attackers leveraging vulnerabilities in them, a recent report has shown. Compiled after examining the findings from the anonymized data of over 1,100 commercial codebases audited in 2017 by the Black Duck On-Demand audit services group, the report revealed two interesting findings:
96 percent of the scanned applications contain open source components, with an average 257 components per application. The average percentage of open source in the codebases of the applications scanned grew from 36% last year to 57%, suggesting that a large number of applications now contain much more open source than proprietary code.
96 percent of the scanned applications contain open source components, with an average 257 components per application. The average percentage of open source in the codebases of the applications scanned grew from 36% last year to 57%, suggesting that a large number of applications now contain much more open source than proprietary code.
Sounds like they're using Maven or NPM. Both include a ridiculous number of transitive dependencies.
Open source and security
Open source is neither more nor less secure than custom code, the analysts noted, but there are certain characteristics of open source that make vulnerabilities in popular components very attractive to attackers.
The main one is that, unlike commercial software, where updates are automatically pushed to users, open source has a pull support model, meaning that users are responsible for keeping track of vulnerabilities, fixes, and updates for the open source they use.
“Open source can enter codebases through a variety of ways, not only through third-party vendors and external development teams but also through in-house developers. If an organization is not aware of all the open source it has in use, it can’t defend against common attacks targeting known vulnerabilities in those components, and it exposes itself to license compliance risk,” the analysts added.
The average percentage of open source in the codebases of the applications scanned grew from 36% last year to 57%, suggesting ...
... that there is an increasing likelihood that the audited code bases contain more code that has received an independent peer review of some sort. Whereas, the remaining proprietary almost certainly has not received independent peer review.
The article itself contains this bit:
... unlike commercial software, where updates are automatically pushed to users, open source has a pull support model, meaning that users are responsible for keeping track of vulnerabilities, fixes, and updates for the open source they use.
That makes me wonder about some things. The article is supposedly about proprietary apps, not proprietary components. If I, as a commercial software developer, license a commercial library for something, the vendor of that library does not "push" updates into my code base. I still have to decide to upgrade (assuming my maintenance contract is current and I have that option).
Also, they don't bother to specify whether their audit accounts for whether the developer is using the code under an open source or a commercial license. For example, Java can be used open source (as in OpenJDK) or via a commercially supported license from Oracle. They also mention license compliance risk, which is yet another red herring. Commercially licensed components also carry a compliance risk with them.
This just seems like yet another article trying to scare engineering and development managers into purchasing the services of audit and compliance outfits. Or, put another way, nothing to see here.
unlike commercial software, where updates are automatically pushed to users
This is nonsense. Most commercial software does NOT automatically push updates to users.
Also, most commercial updates focus on new features (which people will pay for) rather than bug fixes and security fixes.
The open source security model works fine for an open source model.
The closed source security model works fine for a closed source model.
Mixing them is where the problems come up.
The open source model works because when a flaw is found it can be fixed and pushed... Except when it is in a closed source app, so such fixes cannot be put in until the company decides to do the fix. Where it wasn't there code they may be less willing to do that.
The closed source model relies on the fact that problems are harder to find, allowing closed source apps to get away with flaws and giving them time to fully fix and patch the systems before it goes too far.
When you mix them. Such as closed source tools in an open source app then if a closed source problem is found, the open source app doesn't have a way to fix it, but it is public that they are using that tool. And a closed source app using an open source plugin, means there are a lot of eyes that know which particular flaw they can use.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
When you know, or think, that your application has some open source code in it, you use Black Duck to catalog the open source code.
When you wrote an application yourself and know you didn't use open source code, you don't go paying Black Duck to tell you what you already know.
Of course most codebases that people use Black Duck on have open source code - that's what Black Duck is for, listing which parts are OSS. It's like saying "96% of people who called Water Leak Locators had a water leak. Well no shit, you don't hire someone to find the water leak unless you think you have a water leak.
Occasionally, people use Black Duck to show someone else that there isn't OSS code, but normally if you don't have OSS code, you don't need to go looking for what isn't there.
Open Source != GPL. A lot of the software mentioned here very well could be more permissive license. Consider how much software uses OpenSSL(and usually packages their own version with it).
The same problem exists in open-source world too. Tons of packages bundle other packages inside. This is such a pervasive problem, FreeBSD, for example, has a special page instructing porters to fight it — and many still don't...
OpenOffice used to be the worst offender, bundling just about everything (python, libxml, boost, xmlsec — you name it). Firefox and Thunderbird continue to bundle their own jpeg, nspr and nss, vpx, vorbis and ogg, zlib and bz2, ICU an graphite2, harfbuz — something, a building system needs to patiently overwrite with --with-system-foo for every "foo".
There is nothing to lose from mixing open- and closed-source. The more of the former, the better. Moreover, the sole reason the latter even exists is to protect proprietary secrets from competitors. Including, as so often happens, the secret of how bad it is...
Yeah, this is known as the infamous "security through obscurity". It may be harder to find for a script-kiddie — who would not find it in an open-source package either — but not for dedicated professionals, who research exploits for a living and sell them to the highest-bidders.
You may think you have time to fix your code and ship an update, but you really don't. And, if you are a customer, you are completely at the vendor's mercy — without the source code, you can't fix it yourself.
In Soviet Washington the swamp drains you.
This has been the argument against open source for over 25 years â" and it has been debunked for about that long... Are we really reading this again in 2018? Why is this FUD even on Slashdot's front page?
It's been debunked in open source software, but there are many ancient and abandoned versions of open source libraries in closed source software, either because nobody takes responsibility or they're relying on some deprecated API or custom modifications. Which is a pretty big risk when an exploit is found in the current code base, that library will get rebuilt and pushed out to Linux distributions but not your average random COTS software. But they seem to be pushing for Win10-style force fed updates, whether you like it or not. I suppose it's necessary for idiots who refuse to patch and become part of the latest botnet, but keep that far away from me...
Live today, because you never know what tomorrow brings