All things being equal, it's more than understandable why open source software remains a wellspring of application development, and why it still finds considerably broad usage in the IT infrastructure of organizations across multiple industries. Individual developers building with Java and other open source coding languages can share the fruits of their labors with peers all over the globe, and software companies have a base of material they can improve upon uniquely to create their own products.
"The use of open source software can create considerable risks for any organization."
But at this rate it's become absolutely impossible to deny the fact that some open source codes are immensely vulnerable to unauthorized access and manipulation, and while Java isn't the only open source code privy to this risk, it's almost certainly the most high-profile language with such a problematic pedigree. The 2017 breach of the Equifax credit bureau, accomplished by exploiting unpatched loopholes in the Java-based Apache Struts architecture, represents the biggest single Java-related security failure. (According to CSO, Equifax recently agreed to pay $700 million in a settlement to the 147 million individuals whose personal information was compromised as a result of the hack.)
Taking stock of the full extent of open source software's potential risks – regarding Java-based products or those made with any other open code – will be essential for any organization that is planning to begin a legacy application modernization initiative in the near future.
Open source breaches rising in the late 2010s
Sonatype, a devops automation firm, recently released its fifth annual State of the Software Supply Chain report, examining the creation of open source programs and applications all over the world. The organization found more than a few statistics during its research that are likely to trouble any businesses using open-source programs: For one, 25% of the companies Sonatype surveyed in the course of the report's creation claimed they experienced a confirmed or suspected breach of their open source software between 2018 and 2019, and from 2014 to this year, the overall rate of breach incidents affecting this type of software multiplied by 71%.
These accounts of increased security risk come as the overall supply of open source programs has been on the rise in recent years, increasing by about 75% between 2017 and 2019, per the data from Sonatype. (Java alone experienced an 81% jump during this period, greater than that of any of its compatriots in the open source software space.) Also, on a year-over-year basis between 2018 and 2019, downloads from the Central Repository – a search engine for developers and users of open source programs – are up by 68%.
In fairness, it is worth noting that Sonatype's report also found some evidence that organizational leaders have begun to realize the gravity of the situation in terms of open source risk and act accordingly, by managing their software supply chains with a greater degree of care and due diligence. Sonatype CEO Wayne Jackson said as much in a statement accompanying the release of his firm's report, according to ITWeb.
"For organizations that tame their software supply chains through better supplier choices, component selection and use of automation, the rewards revealed in this year's report are impressive," Jackson explained. "[The] use of known vulnerable component releases was reduced by 55%." Specifically, Jackson was referring to an overall reduction in the use of pieces of open source code and other items that would potentially be easy to compromise.
Are some underplaying the gravity of the situation?
The issue of open source software use is a multifaceted one, and when looked at in aggregate, there seem to be more indicators of people and organizations not taking the security risks of open source software components as seriously as they should. From the beginning of 2015 to the end of 2018, downloads of vulnerable Java-based components shot up from 6.1% to 12.1%.
While 2019 has (thus far) seen that figure dwindle to approximately 10.3%, it is still indicative of a certain amount of potentially risky behavior on the part of executives in many different companies. Even when it comes to programs that are well-known to possess notable flaws, such as the aforementioned Apache Struts package that allowed Equifax to be compromised, a considerable number of individuals and organizations downloaded them before appropriate updates were released.
Struts was downloaded 21 million times in 2018 – between January and November of that year, according to NextGov, even though the Equifax breach was very much in the news by that point. In fact, even more alarmingly, Java developer Oracle had announced the presence of the flaw within Struts back in March 2017 – well before Equifax was attacked and ultimately breached.
Although enough evidence does exist to suggest that numerous organizations understand how problematic Java can be when left unchecked, especially if IT staff don't update Java-based systems on a regular basis, a major, industrywide change in the use of unsafe Java has yet to occur in any sector. Sonatype's numbers make this clear.
Being vigilant of flaws in Java-based applications
According to an archived InfoWorld piece, almost 50% of the applications used by enterprises around the world between 1999 and 2014 were written with Java, to at least some degree. Even with the coding language's risks being acknowledged (and addressed) to some degree, the sheer scope of Java's presence means that 2014 figure has likely only decreased slightly at best, and more likely remained static or even increased.
So what can you do? It will most likely be best for your organization to engage in a large-scale overhaul of your legacy applications. But if that isn't feasible in the short term, there are a number of Java-based tools that have far more potential problems than others, and as such, these should be the immediate focus of any cybersecurity initiative's attention, according to UpGuard. These are as follows:
- JUnit: Since most Java developers have this unit testing framework in their toolkits, it's important to keep watch on it. JUnit files from other applications are easily compromised.
- Jenkins: This CI server structure is vulnerable to a swath of denial of service, cross-site request forgery and XSS vulnerabilities if users aren't careful. It's arguably undone by its sheer popularity.
- Maven: Due to this Apache tool's broad utility as a build manager for numerous Java-based projects, it's unsurprising that hackers would target it, and that's exactly what they did. Any user of the 3.0.4 edition of Maven (or any of its predecessors) could be vulnerable to exploits that spoof known servers to complete what are known as "man in the middle" attacks.
- Tomcat: A broad range of weaknesses within the XSS and CSRF frameworks of this application and servlet building server have allowed hackers to breach organization's systems.
- Hibernate: Though this tool only has one major vulnerability, it's huge: The ORM framework's Java Security Manager can easily be avoided by hackers due to the flaw.
Managing all of these issues on a day-to-day basis will only take you so far – and that's where the modernization that Inventu can offer comes in.