MyPage is a personalized page based on your interests.The page is customized to help you to find content that matters you the most.


I'm not curious

Open Source Software Vulnerabilities: How To Stop Hackers From Trespassing?

Published on 25 January 18
603
0
1
The world has an insatiable appetite for apps and of course the better ones. Almost all the applications comprises of third-party components, mostly open source. Out of which more than 50% of the global 500 use vulnerable open source components. Speaking of the current software development environment, you will find that an enormous amount of work is crowd sourced to a large community of open-source developers like PHP, Java, and Android. Now, most of you being non-techie have a very little understanding of the security problems. However, one cannot stop using open source as it offers a plethora of benefits but we can definitely take certain security measures in order to avoid getting hacked.
2
Open-Source Could Mean an Open Door for Hackers

A recent analysis suggests that attackers exploit open-source software flaws fasters and much easily. Let me show you how? Everyone uses open source, where a code is available for everyone to study, change and distribute. Most of the applications make use of commercial components like Apache, OpenSSL and MySQL and developed in framework and libraries like Bootstrap, WordPress, Play framework and Node.JS. It may quite interest you to know that two of the best-known operating systems, Linux and Android, also fall under the open source architecture. Therefore, allowing everyone and anyone to view such critical coding is a significant move; for some open source developers this even turns out to be a mistake.

Many argue that opening up a program's source code to public scrutiny results in more secure software than when the source code is not published – closed source or proprietary software.
3
Open Source Software Vulnerabilities: How To Stop Hackers From Trespassing?  - Image 1
Software dependencies are often the largest attack surface

Organizations usually assume most risks come from public-facing web applications. However, it isn’t true anymore! With dozens of small components and bugs like Heartbleed, ShellShock, found in every application, risks can come from anywhere in the codebase. Other than this, you will come across an ample of reasons such as organizations do not have accurate inventories of software dependencies used by different applications.

Above all, there are several organizations who still have this misconception that open source being more secure than commercial code. Well, don’t get me wrong. I am not saying that open source softwares are less secure than commercial but in order to secure the code certain activities such as code inspection by trained ‘eyeballs’ dynamic security scanning, and penetration testing, among other things must be done.

Although it is undeniably fascinating but it can get further as scary at an equivalent time.

Unfortunately, the whole dependency ecosystem is fragile. Do you remember the recent incident of Node.JS? Yes, it gave the entire community a brutality check as one programmer almost broke the internet by deleting 11 lines of code. Attackers could have easily taken the namespaces of these packages, bumped the version, and added malicious code replacing the actual expected code.
3
What Is The Fix? How to Avoid Getting Hacked?

Fortunately, different open-source and commercial tools have emerged over the years to tackle this problem. Each tool is of a kind and tackles problem a bit differently. Here down below I would like to mention few ways through which one can check the security risk of open-source dependencies.

Node Security Project (NSP)

Known for its work on Node.js modules and NPM dependencies, this tool provides that scan to find vulnerabilities using public vulnerability databases such as the NIST National Vulnerability Database (NVD) as well as its own database.

RetireJS

Being an open-source, JavaScript-specific dependency checker, the project primarily focuses on ease of use. And this is the reason why it comprises of multiple components such as a command-line scanner and plugins for Grunt, Gulp, Chrome, Firefox, ZAP, and Burp. The tool also made a site-checking service available to JS developers who want to find out if they're using a JavaScript library with known vulnerabilities.

OSSIndex

This one is my favorite, it supports several technologies. Right from extracting dependency information from NPM to Nuget, Maven Central Repository, Bower, Chocolatey, and MSI, it offers all. Besides, it also gives a vulnerability API for free. OSSIndex currently retrieves its vulnerability information from the NIST NVD.

Dependency Check

Dependency-check is an open-source command line tool form OWASP. The well-maintained tool can be used in a stand-alone mode as well as in build tools. Dependency-check supports Java, .NET, JavaScript, and Ruby. The tool retrieves its vulnerability information strictly from the NIST NVD.

Hakiri

Hakiri is a commercial tool that offers dependency checking for Ruby and Rails-based GitHub projects using static code analysis. Besides, it offers free plans for public open-source projects and paid plans for private ones.

Conclusion

There are certain open source communities that are quicker to fix and upgrade their code base (sometimes as often as 5 or 6 times a year). For this, a software developer requires to keep a close eye on the current and latest updates and prioritize upgrading the versions accordingly.

So that’s all for now! Keep watching the space to know more.
5
The world has an insatiable appetite for apps and of course the better ones. Almost all the applications of third-party components, mostly open source. Out of which more than 50% of the global 500 use vulnerable open source components. Speaking of the current software development environment, you will find that an enormous amount of work is to a large community of open-source developers like PHP, Java, and Android. Now, most of you being non-techie have a very little understanding of the security problems. However, one cannot stop using open source as it offers a plethora of benefits but we can definitely take certain security measures in order to avoid getting hacked.

. Let me show you how? Everyone uses open source, where a code is available for everyone to study, change and distribute. Most of the applications make use of commercial components like Apache, OpenSSL MySQL and developed in and libraries like Bootstrap, WordPress, Play framework and Node.JS. It may quite interest you to know that two of the best-known operating systems, Linux and Android, also fall under the open source architecture. Therefore, allowing everyone and anyone to view such critical coding is a significant move; for some open source developers this even turns out to be a mistake.

Many argue that opening up a program's source code to public scrutiny results in more secure software than when the source code is not published – closed source or proprietary software.



are less secure than commercial but in order to secure the code certain activities such as code inspection by trained ‘eyeballs’ dynamic security scanning, and penetration testing, among other must be done.

Although it is undeniably fascinating it can get further as scary at an equivalent time.



Unfortunately, the whole dependency ecosystem is fragile. Do you remember the recent incident of Node.JS? Yes, it gave the entire community a brutality check as one programmer almost broke the internet by deleting 11 lines of code. Attackers could have easily taken the namespaces of these packages, bumped the version, and added malicious code replacing the actual expected code.

a kind and tackles problem a bit differently. Here down below I would like to mention few ways through which one can check the security risk of open-source dependencies.

Node Security Project (NSP)



Known for its work on Node.js modules and NPM dependencies, this tool provides that scan find vulnerabilities using public vulnerability databases such as the NIST National Vulnerability Database (NVD) as well as its own database.

RetireJS



Being an open-source, JavaScript-specific dependency checker, the project primarily focuses on ease of use. And this is the reason why it comprises of multiple components such as a command-line scanner and plugins for Grunt, Gulp, Chrome, Firefox, ZAP, and Burp. The tool also made a site-checking service available to JS developers who want to find out if they're using a JavaScript library with known vulnerabilities.





This one is my favorite, it supports several technologies. Right from extracting dependency information from NPM to Nuget, Maven Central Repository, Bower, Chocolatey, and MSI, it offers all. Besides, it also gives a vulnerability API for free. currently retrieves its vulnerability information from the NIST NVD.

Dependency Check



Dependency-check is an open-source command line tool form OWASP. The well-maintained tool can be used in a stand-alone mode as well as in build tools. Dependency-check supports JavaNET, JavaScript, and Ruby. The tool retrieves its vulnerability information strictly from the NIST NVD.

Hakiri



Hakiri is a commercial tool that offers dependency checking for Ruby and Rails-based GitHub projects using static code analysis. Besides, it offers free plans for public open-source projects and paid plans for private ones.

Conclusion



There are certain open source communities that are quicker to fix and upgrade their code base (sometimes as often as 5 or 6 times a year). For this, a software developer requires to keep a close eye on the current and latest updates and prioritize upgrading the versions accordingly.

So that’s all for now! Keep watching the space to know more.

5

This blog is listed under Open Source and Development & Implementations Community

Related Posts:
Post a Comment

Please notify me the replies via email.

Important:
  • We hope the conversations that take place on MyTechLogy.com will be constructive and thought-provoking.
  • To ensure the quality of the discussion, our moderators may review/edit the comments for clarity and relevance.
  • Comments that are promotional, mean-spirited, or off-topic may be deleted per the moderators' judgment.
You may also be interested in
 
Awards & Accolades for MyTechLogy
Winner of
REDHERRING
Top 100 Asia
Finalist at SiTF Awards 2014 under the category Best Social & Community Product
Finalist at HR Vendor of the Year 2015 Awards under the category Best Learning Management System
Finalist at HR Vendor of the Year 2015 Awards under the category Best Talent Management Software
Hidden Image Url

Back to Top