How to manage the security aspect of open-source software.

In the past decade open source software’s popularity has increased. This is mainly due to lower costs and the fact that anyone can view and modify open source software. Free and open source software, commonly known as FOSS, is a favourite target of hackers who exploit security flaws and vulnerabilities in the code.

Weaknesses in code allow black hat hackers to carry out malicious attacks and perform unauthorised and unintended actions. A number of IT and business leaders make the mistake of assuming that open source is a guarantee of security since the community collaborating on the source code will race to patch a vulnerability before attackers inject malware.

Why is Open Source Software Risky

Open source is free and popular because development teams do not have to start projects ground up, but instead, use open source code and add on top of it to create applications. It is a commonly used route for rapid application development. When looking at the two sides of the coin, apart from being free to the development community, it is also freely available for attackers.

Attackers closely study and analyse open source code to identify vulnerabilities that can be exploited to get inside organisations and steal their sensitive data amongst other malicious acts. Open source communities tend to be pretty fast in reacting and rolling out patches and fixes. When (usually smaller) organisations do not have adequate resources to proactively update open source software, they might not be able to patch vulnerabilities in a timely manner – and that is bad news.

Since open source plugins, libraries, code bases or frameworks are popular, hackers are intrigued to create scripts and malicious bots that exploit masses. Such was the case with WordPress plugin Slider REvoltuon 4.1.4. (commonly referred to as the RevSlider Exploit). Statistics show that organisations tend to pay ransom immediately whenever open source software is affected, therefore hackers are more likely to leverage on this trend and attack open source systems for a ransom payment.

Lately technology giant Google has dedicated 100m USD to groups geared on improving open source security. A CISO helps organisations to keep a software bill of materials. This initiative helps organisations defend themselves against bugs and/or vulnerabilities when these are discovered, as by checking this list they would be in a position to verify if they have and use any vulnerable software which needs to be patched.

Cybersecurity hygiene is a constant struggle in many organisations. Lack of resources, outdated or inexistent security protocols, and sparse software patches and updates all lead to cyber risks and exposure. The increasing reliance on open source software, leaves organisations exposed to potential open source vulnerabilities, if not well managed. A zero trust culture is increasing in popularity to help avoid breaches.

Log4j Expoit – the worst open source vulnerability of all times!

One of the nastiest open-source software security vulnerabilities in years is undoubtedly the Log4J one. Towards the end of 2021, a zero-day vulnerability involving arbitrary code execution in Log4j 2.0 was made public by the Alibaba Cloud Security team. This was given the descriptor ‘Log4Shell’ and is considered by critics as the most critical vulnerability of the last fifteen to twenty years. Affected services included Cloudflare, iCloud, Minecraft: Java Edition, Steam and Twitter.

The Apache Software Foundation assigned Log4Shell the maximum CVSS severity rating of 10, citing the possibility that millions of servers could be vulnerable to the exploit. Tenable called the vulnerability “the single biggest, most critical vulnerability of the last decade,” and Lunasec’s Free Wortley called it “a design failure of catastrophic proportions.”

In the United States, Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA), labelled the exploit “critical” and advised vendors to prioritise software updates, while the German agency Federal Office for Information Security (BSI) labelled the exploit as “extremely critical threat situation”.

The feature that caused the vulnerability could be disabled using a configuration setting that was removed in Log4j version 2.15.0-rc1 and replaced by various settings that restricted remote lookups, thereby mitigating the vulnerability. All JNDI-based features, on which this vulnerability was based, will be disabled by default, and support for message lookups will be removed beginning with version 2.16.0.

This vulnerability has been fixed in the official Minecraft: Java Edition launcher. The use of custom launchers or java versions may indicate that the client has not been patched. Playing on servers that have not had this vulnerability patched allows any player on the server to execute potentially malicious code on the computer of another client.

Playing single-player or multiplayer on versions higher than 1.18.1 will result in a crash. This vulnerability can be avoided by playing single-player or multiplayer games on versions higher than 1.18.1. Versions lower than 1.7 are unaffected. If game server hosts are running versions 1.7-1.18, they must specifically patch their servers; otherwise, any player will be able to exploit this vulnerability.

Managing the security aspect of Open Source Software

First and foremost organisations need to make cyber security a priority organisation-wide, allocating serious budgets, training their workforces and dedicating resources to it (if an in-house cyber security team is not an option, contract a reputable partner). In case of open source software, ensure all updates, fixes and patches are implemented and that subscriptions to exploits and updates databases are signed-up for.

Penetration tests and vulnerability scans need to be held regularly to discover any possible vulnerabilities and weaknesses before the bad actors discover them. Code audits have to be an integral part of the process when (not only!) using open source software and a best practice is to always harden open source applications and to minimise the attack surface.

Cyber security is a growing concern for most organisations. Get in touch with one of our experts to discover how you can safeguard your systems, applications, data and people.