IT and cybersecurity teams put in months of effort after the Apache Log4j exploit a few years back. Countless organizations that rely on the software are still in the process of updating their systems, despite the Apache Software Foundation releasing a patch just days after the bug’s discovery. While the widespread use of the Java logging library has led to security risks for innumerable organizations, its popularity means that it has a support team dedicated to consistent updates. Resolving the security issue required a tremendous round-the-clock effort from a small group of the foundation’s volunteer developers. However, many other open-source projects aren’t as lucky.
Around 90% of organizations and software products use open-source components, but far too many of these depend on legacy solutions that no longer have development activity. According to a Contrast Security study from 2021, less than 10% of the average application’s code uses active open-source libraries. This is extremely concerning since the field of cybersecurity is rapidly evolving to deal with new and increasingly complex threats. But what is open-source code, why is it risky and what can organizations do to mitigate potential threats?
What does open-source mean?
Open-source software are projects whose source code is publicly accessible, allowing anyone to inspect, alter, enhance and distribute it as they see fit. Its decentralized development enables collaborative production and relies on community peer review, making it a cheaper option for many organizations. However, using these components comes with a plethora of security risks that organizations must address.
Problems with open-source software
Since open-source software relies on community construction from volunteer developers, and its distribution is largely unregulated, it comes with a wide range of security risks. Here are a few of the primary threats posed by using open-source software:
Exploits are public knowledge
While researchers were quick to detect the Log4j bug and privately report it to Apache, it still spilled into public view when Minecraft announced that players had been using the exploit to gain control of other computers. Public disclosures can be helpful to developers; however, they also present hackers with a new opportunity to attack before organizations can respond. To deal with this gap, organizations must continuously monitor their open-source components and keep them up-to-date as new security patches come out.
No legal obligations
More often than not, open-source software comes as-is with no claims or legal obligations in terms of security. The communal nature and public availability of these models also mean that they usually have a plethora of disclaimers about indemnity and liability. According to the National Law Review, some open-source software licenses require that if organizations distribute the software or its components, they take on the legal obligations and liabilities.
There are hundreds of license types that can be applied to open-source software, and many of these are incompatible with one another. The more open-source components you use, the more complex it becomes to manage, especially considering the frequency with which companies develop and release software. Noncompliance with the terms of each license also puts your organization at risk of legal consequences, potentially damaging its reputation and financial security.
Intellectual property infringement
Using open-source components can lead to proprietary code becoming publicly available as these projects lack the commercial control that organizations typically have. Some licenses even include what’s called a “copyleft” clause; these terms stipulate that developers publicly release any software or source code created with open-source components. This can lead to potential infringement issues and monetary losses, as in the real-world case of SCO versus IBM.
IT and development teams often have insufficient review processes and visibility when it comes to using open-source components. For example, they might have conflicting functionality or licensing issues that can be difficult to work out. Individual teams might also be using different versions of the same component by accident, impeding efficient development. Whereas proprietary software can prevent the use of incompatible or outdated versions through built-in controls, open-source components usually rely on user verification for proper integration.
As we’re seeing with the Log4j exploit, one of the primary risks in using open-source software is that it can be exceedingly difficult to track and update these components as the latest security patches become available. This can cause massive and sometimes detrimental operational inefficiencies, especially for zero-day exploits like the Log4j bug. Organizations must continually monitor their open-source inventories across all development teams to ensure that each system is up to date.
Additionally, many open-source projects are eventually abandoned as use dwindles and community interest declines. When this happens, an organization’s developers become responsible for fixing all future vulnerabilities, straining the already time-crunched teams.
How can you defend your organization from these risks?
While open-source software and components come with an increased potential for security breaches, they are still vital to continual technological advancement. However, there are many proprietary tools that companies can use to mitigate these risks. That’s where Inventu comes in. Inventu offers a terminal emulation tool that can eliminate reliance on open-source software like Java to help bolster your organization’s cybersecurity.
Here at the Inventu Corporation, we equip organizations of all sizes with a revolutionary web terminal emulation tool called Inventu Viewer+, a high-performance emulation solution that is built with C at its core.
Inventu Viewer+ replaces a product we authored and have the Copyright to, Flynet Viewer. Flynet Viewer is now over five years out-of-date but for some reason Flynet LTD of the UK is still charging customers to install it! They can’t license it to customers because Inventu owns the product and the source while maintaining the licensing infrastructure. Flynet provides its paying customers with temporary Evaluation keys!