One of the least known secrets about the Internet – at least until recently – is how much the entire interconnected network that every business depends on is built on open source software that is maintained by a small group of individuals.
Often working through their own passion to contribute to new technologies, these enthusiasts create code for software such as the Log4j application that many of today’s Internet machines need to record and log events and connections.
A Log4j vulnerability in late 2021, during the holiday season, caused widespread disruption. Without a patch or update, servers everywhere were vulnerable to hackers that could exploit this publicised loophole.
This was a wakeup call. In a study released in February this year, software testing and design company Synopsys found that an overwhelming majority of open source codebases (84 per cent) contain at least one known open source vulnerability, up by about 4 per cent from last year.
It says businesses should have a comprehensive inventory of all the software it uses, regardless of where it comes from or how it’s acquired, so they can better see what’s in the code.
Businesses have to better understand the open source software that so much of their business operations depend on, says Kelvin Lim, director of security engineering for Asia-Pacific at Synopsys’ Software Integrity Group.
Just like car makers have a bill of materials of what goes into each vehicle, business should maintain a software bill of materials (SBOM) that they can refer to should any of these components face problems such as a security loophole, he tells Techgoondu, in this month’s Q&A.
NOTE: Responses have been edited for style and clarity.
Q: As we learnt from the Log4j debacle in 2021, so much of the work used to secure the most important foundations of today’s digital infrastructure falls on a small group of open-source volunteers. Is this tenable?
A: This is not tenable. Businesses must take a holistic approach to protecting their digital assets and infrastructures. There are always alternatives to every tool, so Log4j can easily be replaced, including an alternative by the same author Ceki Gülcü, known as Reload4j.
It is up to the investigative prudence of businesses to uncover the best tools to do the job, and replace them as and when necessary if patching is not sufficient.
In the same trajectory, it is also important for businesses to seriously define their SBOM (software bill of materials), so that every component within the digital assets inventory is accounted for, and in turn provide clarity for management and CISOs to manage risk better.
Additionally, with a lack of capable professionals, many businesses may need to look into working with third-parties to uncover software vulnerabilities and lapses.
Q: Given the complex dependencies for much of today’s open-source software, how deep can businesses typically go when it comes to a SBOM?
A: SBOM springs from the manufacturing BOM concept, and so, SBOM should be addressed in as much depth and detail just as a BOM in a manufacturing company.
Imagine an automobile manufacturer, which would have a BOM of every nut and bolt, fabric, electronic component, cabling, glass, elastomer and polymer, and metal parts, that go into making a car. A typical car would have about 30,000 parts, and every part demands precision and quality.
So, if we reimagine SBOM to exact the same standards as a BOM, then we should examine every software component, including any APIs and connected code, that would form the total software we run.
This whole depth of code analysis is not trivial, so we need direct human intervention coupled with assistive automated software tools, iteration by iteration, and at every turn of software updates and upgrades to ensure that quality and security remain intact.
Q: What can most businesses do when they find a vulnerability, given that they lack the capabilities to contribute a meaningful patch or update?
A: For most businesses, security tends to be a holistic ecosystem of external and internal defensive technologies, as well as application and code scanning tools for runtimes and development.
This means that external and internal cybersecurity solutions can attempt to track every node in the network for possible intrusions, while analysis tools help to uncover code weaknesses that may either allow intrusions or cause legal ramifications.
External third party consultants and integrators can often supplement the internal practice, and may be able to provide transient patching or workarounds until official patches are released.
Q: Some businesses might even argue that it is better to keep running software with a known vulnerability (and wait for a patch) than to take down a service that will impact business adversely, because that’s the same as DDoS’ing yourself. How would you advise these businesses?
A: It really depends on the vulnerability. If it is a non-critical vulnerability, perhaps the business, having weighed all risks, decides to run with the software until official fixes are released.
For example, as of March 14, 2023, WordPress 6.1.1 still has an unpatched blind SSRF vulnerability. Rather than shut down websites, sysadmins can mitigate the situation by turning off pingbacks, and/or blocking access to the xmlrpc.php file.
Therefore, there are always workarounds, on top of existing cybersecurity defenses that would log and block many intrusions and such attempts.