Following up with open-source vulnerabilities: Handling cyber risks
Copyright holders of open-source programs, scripts, batch files grant other users and developers legal rights to modify, update, change and distribute for any purpose. In fact, in a world where cybersecurity issues are shaking the toughest barrels, open sources are fighting a tough battle. Nonetheless, every application has weak points, it’s just a matter of time when it will be discovered.
There are a few strategies to keep in mind regarding open-source vulnerabilities. If we browsed through GitHub and Stack Overflow, there are thousands of open-source programs. Some of which are used by large companies more than personal. Open-source saves companies and individuals tons of money. Which means it’s not going anywhere anytime soon. During the 2018 Equifax breach, we understood the vulnerabilities and consequences despite many benefits. A solution that came through the ladder was proper maintenance.
According to a 2021 report by Synopsys, more than 1,500 codebases were compromised with vulnerabilities and conflicts. Around which 17 industries were involved. Open-Source Security and Risk Analysis (OSSRA) reported the matter for a sequence of six long years. Today codes are not only meant to find a solution, it benefits more if the scripts are more optimised. Meaning security in a low number of lines. But many owners are not aware of the vulnerabilities.
Synopsys also reported an average of 528 open-source components which is used on single application platforms. So, in this 84 per cent codebase, there may be 158 vulnerabilities per codebase. Dr David Wheeler, Open-Source Supply Chain Security at Linux told that “I want to emphasize that software is under attack.” But he also said, “just because there is a dependency that’s a vulnerability”. It doesn’t mean the situation is exploitable.
To avoid open-source complaints, companies need to avoid the strategy fully. But it will increase the cost to run programs by a 50 per cent margin. And for large enterprise and organization, this number can pile to be huge. The time required for development will also increase by 50 per cent. Common Vulnerabilities Enumeration (CVE) listed more than 8,000 new vulnerabilities during the 2017 National Vulnerabilities Database campaign.
Many companies work closely with GitHub and internal IT management push codes with permissions to apply on components. Those components can be of the real world or in a sandbox machine. Many popular services and applications use the open-source library that we use daily. Holding behind the long-standing secure software design is a commitment. There are a few practical solutions. Developers should learn to design the software with the most adequate practices. Meaning security should be kept in mind with organised workflow. The standards should be met with customer reliability and breach probability. Thinking of breach probability means there should be backup to navigate through security and get everything on quickly in case there is a disaster. Automating software design is another option.
Statics says software that went through secure automation for a long period tend to be safer than the ones designed and deployed early. That’s why many companies prefer beta or alpha testing and user statics.
The programming language also makes a difference. As there is no guarantee but certain languages make more sense than others in certain projects. Similar to all the common OS that mass use, there is also a chance software’s are developed in C or C++. Memory allocation is not very safe in these but other aspects are better. In C and C++, most out of access arrays, and bounds can be captured immediately, as they can cause undefined behaviour.
“If” a vulnerability is discovered, it should take little to no time to update. Implementation of urgent security deployment is essential. Automated tools can be used to fix further problems.