10 open-source software security risks
Around 84% of codebases contain one or more open-source software vulnerabilities. Take Openfire, for example – a widely adopted Java-based open-source chat server. Cybersecurity experts recently found Openfire servers susceptible to CVE-2023-32315, a vulnerability that allows hackers to generate new administrative accounts.
Organizations often use open-source software due to a wide range of benefits. Unfortunately, cybercriminals can abuse the publicly available open-source software code, posing serious consequences for your clients. Breaches can lead to loss of sensitive data, financial losses, brand damage, downtime, customer attrition, and legal penalties.
MSPs must have an in-depth understanding of open-source software security risks and the knowledge to protect clients from these potential risks.
What is open-source software?
Open-source software refers to any software where the source code is open to the public. This software is maintained via open collaboration and made available for anyone to inspect and modify. This allows users to customize it according to their needs instead of buying out-of-the-box software or building new software. Some of the most popular open-source software include:
- Mozilla Firefox
- VLC Media Player
- Linux (Kernel)
Organizations may prefer open-source software because:
- Cost savings: For example, clients can use Linux for free instead of paying for Windows licensing.
- Ease of customization: Organizations can customize an open-source CMS, such as WordPress, to fit their web and industry requirements.
- Community support: Open-source software is often supported by a community of developers. For example, clients can use PostgreSQL as a DBMS instead of a paid MS SQL Server.
Common open-source software security risks
Despite their many benefits, there are certain open-source software security risks. MSP teams need to have a solid understanding of these risks to safeguard their clients from cybercriminals.
Risk explanation: Usually, open-source software has some form of licensing agreement tied to it. These agreements describe how you can use and distribute the code. With a permissive license, you can use the code freely, add it to your proprietary application, and use that application commercially. All you have to do is acknowledge the original creator.
However, with a copyleft license, if you repurpose and distribute code, it’s necessary to make that code available to others. This is obviously a problem for companies that are looking to use open-source software for their proprietary software. Failing to abide by a copyleft license can lead to legal implications.
Likelihood of risk occurrence: Low. These usually occur because different contributors from around the world might interpret licensing agreements incorrectly. Also, some agreements can be overly complex.
Example: Oracle filed a lawsuit against Google for copyright infringement, claiming Google misused Java APIs and violated copyrights.
Risk explanation: In many cases, open-source projects aren’t maintained regularly. When software remains unmaintained for a long time, it can become vulnerable to security threats. You might even get incomplete software functionality due to a lack of updates.
Likelihood of risk occurrence: High. Due to the decentralized nature of open-source projects, many contributors lose interest, making them outdated after a while.
Example: StackRot, designated as CVE-2023-3269, is a critical vulnerability in the Linux kernel's memory management subsystem. Discovered in July 2023, malicious actors can potentially exploit this vulnerability to achieve privilege escalation, allowing unprivileged users to compromise the kernel and gain elevated system access. This security flaw posed the risk of unauthorized access for businesses, requiring them to apply the latest patches to prevent malicious actors from entering their systems.
Publicly-available source code
Risk explanation: Transparency is one of the biggest strengths of open-source projects. With this said, it can turn into a weakness if a lurking attacker studies the source code and manages to identify a way to break in. This can lead to unauthorized access and system disruptions.
Likelihood of risk occurrence: Moderate. The openness of open-source projects allows attackers to study code for weaknesses.
Example: In March 2023, security experts found a vulnerability within WooCommerce, one of the most popular open-source source WordPress plugins. The flaw allowed remote users to masquerade as administrators, gaining full control over the WordPress site.
Lack of oversight of source code for security
Risk explanation: When an MSP fails to keep track of source code changes in their client’s open-source projects, cybercriminals can take advantage of this negligence. This oversight can be caused by lack of resources, expertise, or processes to thoroughly review the source code for vulnerabilities.
Likelihood of risk occurrence: High. Contributors are spread throughout the world. The decentralized nature of open-source development can make it hard to enforce security reviews and practices.
Example: Ghostscript, an open-source interpreter for PostScript language and PDF files, recently revealed a critical remote code execution vulnerability. This flaw poses a severe threat, particularly in the Linux ecosystem, as Ghostscript is a default component in many Linux distributions. As a result, the lack of oversight of this project’s codebase can lead to the exploitation of applications like Inkscape, GIMP, and LibreOffice.
Uncertain long-term sustainability
Risk explanation: Sometimes, open-source projects get abandoned. They don’t get funding or lack enough contributors. If you have installed such software, your clients will fail to get support, updates, and security patches.
Likelihood of risk occurrence: Low. However, you can’t predict the future of an open-source project.
Example: In June, Python 3.7’s official support ended. This means that businesses that still choose to run Python 3.7 will have difficulty securing the code because there will be no official security fixes and improvements.
Operational issues with open-source components
Risk explanation: When you use open-source components, your team can face issues, such as incompatibility, poor documentation, and insufficient support. These operational complications can make it hard for your clients to use software seamlessly and compromise security.
Likelihood of risk occurrence: Moderate. It depends on a project’s maintenance history.
Example: In 2022, Microsoft researchers warned that hackers were exploiting a deprecated web server, Boa, used by IoT devices in the energy sector. Their experts identified a vulnerability in Boa’s open-source component, which is used in routers and security cameras.
Bad developer practices
Risk explanation: Contributors in open-source projects don’t always follow best security practices. They can indulge in bad practices, such as hardcoding credentials, lack of input validation, improper error handling, and using deprecated functions.
Likelihood of risk occurrence: Moderate. Open-source projects attract good and bad developers at the same time. Some projects don’t have a proper code review policy, which can make them more vulnerable to bad practices.
Example: In June 2023, a security flaw known as an SQL injection vulnerability was detected in MOVEit Transfer, an open-source web application. This vulnerability could potentially enable an attacker without proper authentication to illegally access the MOVEit Transfer database. This incident underlined the need for implementing better development practices.
Under and oversized dependencies
Risk explanation: Undersized dependencies happen when an open-source project is missing core security updates or features, while oversized dependencies occur when unnecessary or excessively large external libraries are found in an open-source project. This leads to larger codebases and an increased attack surface for hackers.
Likelihood of risk occurrence: Moderate. Developers need external libraries for various use cases, but without a careful assessment, it can lead to poor dependency management.
Example: In July 2023, GitHub detected a small-scale social engineering campaign aimed at the personal accounts of tech company employees. This scheme employs a blend of repository invitations and harmful NPM package dependencies. These projects, GitHub notes, incorporate malicious NPM dependencies designed to fetch additional malware onto the devices of the targeted individuals.
Risk explanation: Inconsistent quality refers to the fluctuations in the reliability, security, and quality of your open-source software, which can vary over time and across different versions.
Likelihood of risk occurrence: Moderate. The diverse nature of contributors to open source platforms can lead to inconsistent levels of quality. Some contributors can be seasoned developers with extensive knowledge in software development and cybersecurity, while others can be relatively new to coding and lack specialized skills. This diversity in technical ability can lead to unpredictable code quality.
Example: In January 2023, Nissan North America informed its customers of a data breach. The breach happened because of poor code quality, as the data embedded within the code was incorrectly stored in a cloud-based public repository.
“Namesake” packages from malicious actors
Risk explanation: This risk occurs when a hacker deliberately creates packages with names similar to the existing packages in open-source repositories. This can trick users into using these malicious packages to install a virus, such as ransomware, in their systems, which can turn your systems into a hostage until you pay a ransom.
Likelihood of risk occurrence: Moderate. The open nature of open-source repositories makes it possible for hackers to change the names of the packages.
Example: In 2022, a phishing campaign was discovered targeting Python package maintainers who upload their packages to the PyPI registry. The attackers were able to compromise the accounts of some maintainers who were tricked by the phishing emails. As a result, several Python packages, including 'exotel' and 'spam,' were found to contain malware.
For more information on the latest cybersecurity threats and trends, download the MSP Threat Report and stay ahead of the curve.
How to reduce open-source software security risks
You can reduce certain open-source software risks by following these best practices.
- Licensing/IP issues: MSPs should perform in-depth licensing reviews before integrating open-source components in their client’s project. They should ensure compliance with licensing terms and advise clients on using libraries with compatible licenses. They can also use automated tools like FOSSology for license detection and management to streamline this process.
- Unmaintained/outdated software: Creating a regular update schedule for open-source components can help track security advisories, monitor the health of projects, and replace unmaintained or outdated components with actively maintained alternatives.
- Publicly-available source code: Implement security best practices during the coding process, such as input validation and security-aware coding. Regular security assessments and penetration testing can identify vulnerabilities in the public source code and help prevent exploitation.
- Bad developer practices: MSPs can provide training and guidance to developers on secure coding practices. Training should emphasize the importance of proper authentication, and regular code reviews to prevent common security pitfalls.
If you need help addressing additional open-source software security risks, MSPs can turn to additional security tools and software solutions for support.
Cybersecurity solutions to protect open-source software
Open-source software has changed the way businesses build and deploy applications. However, the transparent nature of open-source projects also exposes them to inherent security risks. MSPs can counter these risks by using cybersecurity solutions tailored to protect open-source software. Some of the solutions they can use include:
- Endpoint detection and response (EDR) solutions monitor endpoints and detect anomalous activities like multiple failed login attempts.
- A security operations center (SOC) serves as a centralized hub for monitoring and managing security incidents in an organization’s network.
- Security information and event management (SIEM) solutions consolidate and analyze security data from diverse sources (e.g., application logs).
Despite the inherent risks involved, there will always be some clients who default to open-source platforms. This puts the onus on your MSP to provide the protection and oversight needed, and mitigating risk begins with implementing reliable cybersecurity solutions.
From EDR with 24/7 SOC support to SIEM, ConnectWise offers a comprehensive suite of cybersecurity management solutions to help MSPs monitor and respond to security threats. Register for a live demo to learn more about how best-in-class software can help jumpstart your cybersecurity practice.