Open Source Vulnerability Management

Gartner asserts that open source components are present in more than 95% of a business’ applications and over 30% of most code bases. With a growing presence in software development, organizations need to adopt new tactics and policies to address open source vulnerabilities. By using a vulnerability management solution like Black Duck Hub to conduct an automatic open source vulnerability scan and document open source code, organizations are able to identify open source vulnerabilities within their code base as they are disclosed.

Exploring Open Source Vulnerabilities

Security is a key component of open source vulnerability management. While the goal of protecting sensitive information is core to any security strategy, there are some distinctions between open source and other software which must be understood to ensure proper management.

Key Distinctions:

  • Rapid Evolution: With a global community of contributors, open source projects evolve rapidly. Development teams must continuously track and incorporate new releases which may include critical security patches.
  • Vulnerability Testing: Vulnerabilities are present in all software, but open source vulnerability testing poses unique challenges.  Open source vulnerabilities are often publicized and their exploits are readily available to malicious users. Organizations using open source must be vigilant and prepared to remediate vulnerabilities in a timely manner.
  • Component Dependencies: While an open source component may not contain vulnerabilities, it may have dependencies on code which does. Proper vulnerability management requires a complete understanding of the code present in your third-party libraries and the components of it.

A Complete Management Strategy

To establish an open source strategy, organizations must first identify the components of a reliable software security toolkit. Common security testing tools include industry standards such as Static and Dynamic Application Security Testing (SAST & DAST). However, to address the security of open source components, one must also employ Open Source Vulnerability Management (OSVM).

What is Open Source Vulnerability Management?

Open Source Vulnerability Management (OSVM) examines open source security risks, license compliance, and code quality risks at each stage in the SDLC. OSVM allows you to continuously monitor for new vulnerabilities which may impact your bill of materials (BOM).

OSVM provides benefits beyond traditional SAST and DAST, including persistent monitoring and instantaneous identification of open source vulnerabilities. Where SAST and DAST measure exploitability, OSVM measures an application's exposure to open source vulnerabilities. To accomplish this, many companies perform a complete open source application security assessment to define risk using three key measures:

  • Security Risk – Risk created by vulnerabilities in open source code threatens data, functionality, user experience, and more resulting from malicious activity.
  • Code Quality Risk – Risk associated with a waning open source community presence, lack of development activity, or out-of-date components. This requires time and talent to address, and can increase the likelihood for both security breaches and application failures.
  • Compliance Risk - Risk of litigation and threatened intellectual property. This can cause potential delays due to refactoring to avoid using code with unfavorable licenses.

A company’s plan for managing open source vulnerabilities determines the integrity of the applications it produces and the efficiency with which it does so. By automating a process for managing open source security and vulnerability testing, development teams experience fewer interruptions during the SDLC, helping businesses stay agile and secure.