A 2019 survey by Synopsys found that 96% out of 1100 scanned codebases included open-source components. These open-source components come with some unique issues that could be putting your system at risk. This is particularly true if you’re unaware of their presence.
In this article, you’ll learn some considerations for using open-source components. You’ll also learn how to secure your components and minimize your risks.
Considerations for Using Open-Source
Organizations and developers choose to use open-source code for many reasons. These components can provide the flexibility that is unavailable with proprietary components. Open-source can also provide a foundation on which projects and systems can be more quickly constructed.
Unfortunately, you have limited control over whether or not open-source code is included in your systems. This doesn’t mean you can’t choose what open-source to include. Weigh the following risks and benefits to help you choose wisely .
Risks of Using Open-Source
- No dedicated support—open source support is typically unofficial and no one is obligated to assist you. You can ask for community help but not 24/7 or contractual.
- Risk of liability—you can’t hold open-source community liable for vulnerabilities or legal concerns. Community contributions mean proprietary code might be used without permission.
- Manual patching and updating—you are responsible for managing patches and checking for updates. Requires tracking components and versions.
- Lack of consistency—coding practices may be inconsistent and difficult to evaluate. There’s no guarantee that the project will continue to be updated or supported.
Benefits of Using Open-Source
- No vendor lock-in —open-source is portable and contract-free. You can change tools or environments at anytime.
- Customizable—open-source can be used as a base for your own projects. With it, you can more easily integrate and modify functionality for your own needs.
- Community-based—the code is checked by contributors with a range of expertise and experience. It can lead to greater innovation and faster development times.
- Transparency—the open source code is freely available for examination. Vulnerabilities, development interests, and progress are public knowledge.
- Lower-cost—open-source is free to use. Costs for open-source components come in the form of configuration, maintenance, and modification time.
Securing Your Components
You cannot easily avoid the use of open-source components or tools that include them. Your best option is to focus on securing these components to ensure they don’t put the rest of your system at risk.
Track Your Components
Tracking the open-source components you are using is vital to reducing your risk. Patches to open-source code aren’t pushed to you. This means your components will only be protected if you make sure they are up to date. Tracking components allows you to quickly locate and update versions across your system.
Third-party tools, some of which are open-source, are available to help you track your components. Some tracking tools can notify you when updates, licensing issues, or new vulnerabilities are discovered.
Use Vulnerability Resources
Several organizations evaluate and report on vulnerabilities in open-source components. Additionally, the communities producing open-source components can often provide information on securing components.
The National Vulnerability Database (NVD) provides info on vulnerabilities. The information it provides is organized by Common Vulnerability and Exposure (CVE) number. A CVE is a unique identifier for a publicly reported vulnerability. NVD listings include impact information, references to advisories, solutions and tools, and a list of affected configurations.
The Open Web Application Security Project (OWASP) provides guidelines for evaluating components as well as tools. Their OWASP Top 10 vulnerabilities list is a well-established resource. In it, they address best practices for securing systems and identifying vulnerabilities that can be addressed with secure coding practices.
Take Care with Licensing
Open-source code can fall under a variety of licenses, each with different terms and conditions. Licensing is what makes code posted in public an open-source component, available for use.
There are two main categories of licenses, copyleft and permissive. Permissive allows freedom of use, modification, and redistribution and can be used in proprietary works. Copyleft allows freedom of use, modification and distribution, provided that derivative works are also made open-source.
When using open source components, tools, or platforms, you need to verify the license they come with. Make sure that you are using them according to license restrictions. Failure to do so leaves you open to legal liability.
Evaluate Code Before Using
When you wish to include open-source components in your applications, make sure you first evaluate the source code. Often libraries and functions are used in a “black-box” way, with developers only knowing how they work and not why. This can lead to unnecessary inclusion of vulnerabilities and dependencies. There is no reason to include an entire library for a function that you could easily rewrite yourself.
There are security tools that can help you scan any components you wish to use for vulnerabilities. Some of these tools are open-source themselves and many make use of public vulnerability databases.
Keep Your Components Updated
You should take care to regularly compare the open-source versions you are using to the most up to date version. Apply patches and update versions promptly to secure vulnerabilities as soon as possible. Additionally, try to limit the number of different versions of a component you are using. Doing so will make patching easier and faster.
If you need to use older versions of components or tools, devote resources to addressing vulnerabilities in-house. Once you decide to stop using the most recent version, you can no longer rely on community patches. Fixing and identifying vulnerabilities will be up to you and your development and security teams.
You can’t entirely eliminate the risks that come with open-source code from your system. You can, however, manage those risks. Hopefully, this article helped clarify this subject, and gave you some ideas for how to address it. With careful selection of components and active monitoring, you can ensure that your system stays secure.
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, the leading marketing agency in the technology industry.