There are many benefits to incorporating open source components into a program, and judicious use of such code bases can enable developers to focus on adding functionality rather than spending time rebuilding applications that already exist. Many development projects incorporate at least some portion of an open source library, but each use of community-developed code also raises new software security challenges.
A recent study by open source management software provider White Source found that 85 percent of all projects loaded into its service had some out of date open source components. In total, 14 percent of open source libraries in use are out of date. By using outdated code bases, developers open their applications to potential vulnerabilities, even if their proprietary code is flawless. And these vulnerabilities can be particularly dangerous, since open source libraries are readily available to hackers looking to find exploits.
A 2012 study by Aspect Security noted that many of the most popular open source libraries contain known vulnerabilities that put applications at risk. In its analysis of 113 million software downloads from the Central Repository of 31 popular Java frameworks and security libraries, Aspect found 19.8 million, or 26 percent, of library downloads had vulnerabilities. Noting that many applications use as many as 30 or more libraries, the study suggested that as much as 80 percent of code could be compromised in some programs.
“While some vulnerabilities allow the complete takeover of the host using them, others might result in data loss or corruption, and still others might provide a bit of useful information to attackers,” the study said, according to Network World. “In most cases, the impact of a vulnerability depends greatly on how the library is used by the application.”
Strengthening open source implementation
While incorporating outdated and vulnerable open source code bases into a program can be a risk, avoiding it altogether is rarely an option for developers under tight constraints. To ensure open source code is secure, programmers should implement the most up-to-date version possible.
“Using the most updated open source version substantially reduces business and technical risks,” said White Source CEO Rami Sass. “Current versions fix crucial bugs, performance issues, and security vulnerabilities, and often contain additional functionality.”
While developers often assume that open source code bases are secure, they may also want to take the time to perform software security checks on this code themselves. Even if they have performed rigorous source code analysis on their own writing, developers may uncover vulnerabilities in these libraries that put their entire program at risk. While the size of open source components – as well as their heavily scrutinized nature – may discourage thorough review, tools such as static analysis can provide a method to quickly double check code and avoid common exploits.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.