By Indusface Research Team

The open source community influences our lives in more ways than we think. It is believed that such programs power more than 60% of the total websites available today, a figure that’ll grow in the coming years.

Although open source development might look like a new trend where programmers give away source codes for the greater good, the practice has been into existence long before the days of the internet.

But clearly, internet built the never-seen-before communication channels across the world, inviting everyone with skill and knowledge to be a part of their creation.

Why Everyone Loves the Open Source?

From consumers’ point of view, it is the perfect way to get functional and useful programs that otherwise cost a lot of yearly licensing money. Take an example of the difference between the Microsoft Office and its open source alternative the Open Office.Open Source Application Security

On the other hand, organizations, businesses, and government are increasingly opening up to the open source applications for diversity, simplified solutions, and cost efficiency. While the general understanding does not go beyond server-based applications like MySQL and Apache, there is a huge world of available options.

Industry experts say that the Open Source Era has a huge potential to grow from business’ point of view and it will soon be powering almost every big company by the end of this year. Powered by cloud, SaaS, and mobile, organizations will find it easier to work on preexisting codes and molding it according to requirements rather than starting from the scratch.Open Source Application Security

Wendy Nather, from 451 Research, talks of the open source as a building material. He says that it provides a competitive edge to enterprises that wants to bring blocks together using cloud in forms of Platform-as-a-Service (PaaS) Infrastructure-as-a-service (IaaS) without spending a fortune on licenses for a myriad of web applications.

Open Source Security Concerns

Although there is no doubt that open source web applications are efficient and economical, organizations cannot shy away from the fact that such application come with myriad of vulnerabilities that often go unnoticed. Further in absence of a license and service level agreement, support, update, maintenance and documentation for use is minimal.Open Source Application Security

  • Multiple vulnerability issues
  • No update or patch guarantee
  • Minimal support
  • Absent SLA

In fact, companies pick chunks of codes from the open source and then maneuver the application for the desired functionality, which leaves room for several loopholes when not backed by proper auditing. In fact, the Open Web Application Security Project (OWASP) top 10 list has a special slot for it named ‘Using Components with Known Vulnerability’, which perfectly covers the open source exploitation risks.

Though enterprises think that input from several developers equals better security, known vulnerabilities in popular application will make them reconsider the perception.Open Source Application Security

Apache Tomcat and Apache Hadoop are the known offenders of log forging and cross-site scripting. Similarly, the Zen Cart, WordPress, and phpMyAdmin have also had frequent cross-site scripting issues in the past.

At the same time, it’s not easy to find out vulnerabilities on open source projects due to the shared nature. Both in-house and open source coders are more curious in fixing UI and UX bugs due to their inclination towards improving functionality of apps rather than digging deep into the security factor. Additionally, with shorter turnaround times and frequent changes, things don’t get any easier.

3 Ways to Secure Open Source Usage

Insecure web applications can lead to catastrophic effects, not just in terms of money but also business process and brand image. Exploitation and data breach information gets viral, making prospects and customers question the entire security structure of an organization.Open Source Application Security

So, what is the solution then? For one, restrict open source code usage entirely, but given that it’s not very logical, businesses and government should sweat on their open source acceptance and management policies. Developing strong open source usage policy backed by app security testing is the only possible solution, which has been explained in following points.

1)      Identify Vulnerabilities

Whether you’ve built an entirely new application or have use unknown components in it, web application scanner or WAS can prove to be handy to highlight vulnerabilities. It is basically an automated tool that looks for security loopholes and reports it to the admin.

In fact, security vendors also provide more advanced options backed by human intelligence to penetrate application manually. It’s called dynamic application testing (DAST) and is specifically designed to audit web applications with real-attacker-like actions. Such services might also include business logic vulnerability detection within the app, which cannot be detected through automated tools.

2)      Define Adoption Policies

Organizations of all sizes should work on policies that can define adoption and usage of open source web applications and their components. It takes management and development teams’ inputs and strong adherence to ensure that rules are followed at every level of the organization.

Further, to make sure that such policies do not pull down the development process, work on every step as a part of the process. You can even make a list of approved component sources and keep a track of them during the complete development cycle.

3)      Patch Proactively

Finding vulnerabilities is simply knowing your risks. In no way, it will make your secure unless you code the patches for the. However, developing patches remains to be a major thorn in the flesh for most companies as our research shows that organizations take more than 30 days to develop patch for single reported vulnerability on an average. During this period, websites remain open to data breaches, defacement, manipulation, resource misuse, and other kinds of threats.

Understandably, businesses have to look after other important matters, rather than sending every developer to bug-fix race.

A much smarter policy would be to patch vulnerabilities virtually in the real-time with web application firewall. It’s different from network layer firewalls and has specially been designed to shield vulnerabilities from attacks without any code changes.

Organizations have accepted it as the next layer of defense, which when fully managed through security analysts can even fix business logic flaws and limit attacks on basis of acceptable user behavior policies.

Conclusion: Open Source Smartly

In the years to come, open source web application components are expected to save billions to organisations across the world. It has undeniably grown synonymous to efficiency and adaptability, but only when the risks are evaluated and managed intelligently. Open source security is eventually based on steps that you take to protect application structure from vulnerabilities and also the ability to mitigate attack attempts if somehow these vulnerabilities cannot be patched immediately.

Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.