Open Source Software (OSS) is the backbone of today’s application architecture. By accelerating time to market and reducing the burden on often-overworked developers, open source has cemented its revolutionary position within the DevOps landscape. Though deeply transformative to the development of modern applications, open source copy and paste continues to represent a major security risk to organizations and individuals alike. Combating this demands either a total blacklist of open source code, or the proactive implementation of countermeasures such as a next-gen WAF solution.
Third Party Code Is Vital To App Development
Libraries are incredibly handy stashes of source code for web or mobile application components. These libraries can be open-source – available to everyone for no cost – or proprietary, which locks the code behind payment. Though open source claims a lot of the glory, proprietary code also plays a role in the continued functioning of enterprise applications.
This third party software, when used responsibly, prevents devs having to constantly reinvent the wheel. This drastically improves the efficiency of the development process, while aiding in the production of a high-quality final product. Ultimately, the free and liberal use of open source code creates a positive feedback loop, allowing devs to release their minimum viable product faster, which paves the way for rapid collection and implementation of user feedback and evaluation. Though devs are deeply aware of open source’s critical position within the DevOps process, executives are often surprised to learn that 80% of the code supporting modern applications originates from pre-existing code.
The Shadowy Danger of Transitive Dependencies
It’s not news that open source code comes with risk. Recent widespread weaknesses such as Log4j and HeartBleed irrevocably placed open source risk on the map. What remains a growing area of understanding is the sheer frequency with which open source is used, and the stealthiness with which vulnerabilities can sneak into an active project. Despite the ongoing risk presented by open source projects, very little research has been conducted into the specific type of risk that open source presents. Researchers from Endor Labs set out to change this by clarifying the origin of major OSS threats.
Within software, transitive dependencies describe a uniquely indirect relationship between two components. For instance, let’s say your dev team adds package B to an ongoing project. Package B, in turn, automatically downloads package C. In this scenario, while the developing software enjoys a direct relationship with package B, package C remains lurking in the background – integral but largely invisible. Frustrating any attempt at safer development practices is the fact that only 5% of open source software dependencies are manually selected for implementation within the DevOps process. In this manner, most dependencies simply get automatically pulled into the codebase. This describes the source of a transitive vulnerability. A recent report by Endor Labs found that an astonishing 95% of open source vulnerabilities originate from transitive dependencies.
The data was compiled from Core Infrastructure’s Census II report, which lists the most popular free open-source software. This data was then enriched with other sources that allowed Endor researchers to scan popular package managers and OSS libraries. The researchers discovered that – out of 254 packages mentioned in the Census II data – most suffer from an average of 14 transitive dependencies. In a vacuum, 14 may not appear shockingly high, but most applications rely on dozens – if not hundreds – of direct dependencies; their transitive counterparts scale exponentially.
The major concern voiced by researchers is based in the industry’s widespread underestimation of the problem. Executives continue to undermine the amount of source code in use within the development process – transitive dependencies are not yet even on the radar. The sheer depth of security issues continue to lurk below the surface, increasing the blast radius of typosquatting and remote code execution attacks. If the constant reuse of open source code is to fully live up to its potential, security needs to become a higher priority within the DevOps process.
How to Protect Against Lurking Vulnerabilities
The process of maintaining a secure tech stack has never been more complex. With patch alerts rapidly becoming overwhelming, it’s time for enterprise security to prioritize automated, patchless protection. Traditional measures that prioritize perimeter security alongside static and dynamic analysis rely on manual updates, meaning there is no protection against zero-days. The backdoor code that attackers used within the infamous SolarWinds attack was not detected by any static analysis, as there were technically no errors.
Identifying and blocking attempted exploitation requires a small suite of interlocking software. To first help define and protect the perimeter of an application, a next-gen Web Application Firewall (WAF) can be deployed. Sitting at the boundary between external and internal, the WAF monitors all traffic flowing to and from an application. The next-gen aspect enables this WAF to automatically adapt and implement new policies. The automated deployment of this constant evolution frees up significant time and energy for the security team that an old school WAF would otherwise drain.
While WAF keeps a handle on any external attempts to execute code, Runtime Application Self Protection (RASP) protects against internal weaknesses and code injections. This level of protection evaluates all payloads (such as SQL queries and operating system commands) in real time. This process does not require signatures or a learning phase, and takes place entirely within the application context. As this operates within the application, it covers almost all contexts. This means that, even if an exploit allows for the perimeter to be breached, an attacker is prevented from moving laterally, as any suspicious application behavior triggers a RASP shutdown. This terminates the suspicious activity and alert security teams. In this way, RASP is complementary to a next-gen WAF; while the WAF helps keep the bad traffic out, the risk posed by lurking, transitive exploits is mitigated by RASP. With these components protecting a tech stack, the burden that OSS currently places upon security is lightened significantly.