Survey: Equifax Hack Highlights Open Source Insecurity
With open source software accounting for more than half of some products, process gaps are emerging for managing security. Vendors pushing approaches for monitoring software supply chains point to the recent Equifax breach affecting about 143 million consumers as a case in point: hackers exploited and Apache Struts vulnerability after the company ignored a security patch released six months earlier.
A survey released this week by software licensing specialist Flexera found that only 37 percent of the 400 commercial software vendors it queried have open source acquisition or usage policies in place. Less than half (39 percent) said either no one is in charge of open source compliance or they don't know who's responsible.
Furthermore, the vendor survey found, most software engineers do not track open source use while many development teams are unaware of the gap or the security risks.
“Ready-to-go code gets products out the door faster, which is important given the lightning pace of the software space," Jeff Luszcz, Flexera's vice president of product management, noted in a statement releasing the survey. "However, most software engineers don’t track open source use, and most software executives don’t realize there’s a gap and a security [and] compliance risk.”
One-third of respondents said they participate in open source software development. While companies large and small are contributing code and other components to a growing list of open source projects, nearly half said they either do not have an open source usage policy or have no rules for using open source software.
Security concerns fueled by massive breaches like the Equifax hack are growing with the increased use of open source code in cloud and Internet of Things deployments. Software licensing compliance vendors such as Flexera equate spotting licensing irregularities or security vulnerabilities to finding a bug in application software. Hence, the company argues that mechanisms for spotting vulnerabilities need to be incorporated into the software development cycle to minimize damage.
In the case of Equifax, the Apache Foundation recently confirmed that last month's massive data breach stemmed from the consumer credit reporting agency's failure to install patches to Apache Struts, an open source framework used to build Java web applications. The patch had been released in March.
The bottom line, according to the survey's authors, is that the security risks associated with open source software can only be managed if suppliers have usage policies that are enforced. "They have to communicate these policies to all the development teams that are writing code and incorporating open source components into that code," warns the survey released on Tuesday (Oct. 17).