IoT News | The Security Risks of Open Source Software – IoT Business News

The phrase no person is an island means that no person is completely self-sufficient; all of us rely on others to some extent in order to survive and thrive. The same is true of software. While it is technically possible for every piece of software to be built completely from scratch, this simply isnt practical in most cases.

Instead, developers frequently use modules or packages of code, frequently found in open source repositories such as Github, which they can use to piece together their software. Think of these as the pre-constructed window frames, doors, and bricks that a builder might use to construct a new house.

There are multiple reasons why developers might rely on open source code in this way. A big one is the speed at which developers must often work. A developer likely has a fixed budget and deadline that theyre working to, making it impractical to spend time building every single component of the software theyre working on. Using open source code also allows them to build their programs using code that they might not have the expertise to build. To return to the house-building analogy, a person building a house may not have the expertise to create beautifully constructed doors. In addition, the crowdsourced nature of open source code, which has been contributed to and examined by large numbers of users, can help with spotting and fixing bugs and potential vulnerabilities.

With this in mind, its no surprise to hear that open source ecosystems are booming, whether thats Java, JavScript, .NET, or Python: contributing to hundreds of thousands of projects, drawing on millions of downloadable packages available to developers. Those numbers are only going to increase over time.

But while open source software brings no shortage of benefits to developers, it nonetheless poses potential risks to developers. Thats where tools like WAF can help. What is WAF? Short for web application firewall, its one of the many cybersecurity tools available to help devs tackle a growing problem. Consider it a must have.

Open source, by its nature, attracts large numbers of users from all over the world. According to one report, open source code is found in upward of 30 percent of commercially released applications and far more when considering tools such as software for internal use. Unfortunately, its not just the good folks that are attracted to open source.

The number of attacks on open source projects have ramped up significantly. One piece of analysis suggests that the number of attacks have increased by upward of 650 percent over the past year.

For attackers, one of the reasons for trying to target open source projects is because it allows them to poison the well that is then used by large numbers of applications. Rather than targeting proprietary or custom code, if an attacker can find a way to carry out malicious code injection or some other attack targeting open source projects, this tainted code could then be baked into legitimate software.

Although open source code is, by its nature, open and inspectable, many developers may not spend the necessary time carrying out this inspection process. Instead, they could assume that this bug-spotting has been carried out by other users, opting instead to spend that time developing new features or getting on with other projects.

Companies which do not do their proper due diligence when it comes to the use of open source modules or packages in applications could introduce serious vulnerabilities making possible everything from large scale data exfiltration to remote code execution. The damage could be major, whether thats non-compliance with laws around protecting data, operational risks, or damage to the reputation of the companies that use this open source code.

Protecting vulnerable open source code is essential. Luckily, there are tools that can help. A WAF or WAAP (web app and API solution) can help to virtually patch open source vulnerabilities, preventing them from being exploited. These tools can assist with offering protection against security issues that may plague open source code. They can assist with detecting and quickly blocking any attempted exploitation by hackers of code vulnerabilities.

Adopting these tools is among the smartest moves organizations can make. This way, customers and users can continue to enjoy the myriad advantages the open source software community has to offer without having to worry about potential risks.

While its still crucial that developers properly inspect the code they use, this is nonetheless a valuable safeguard for any potential vulnerabilities that slip through the cracks. Attacks on open source projects arent going away. But by using solutions such as this, its possible to mitigate the worst potential damages they can cause.

Read the rest here:

IoT News | The Security Risks of Open Source Software - IoT Business News