Open Source
I was giving a presentation a few months ago at a conference. The presentation was on “organization cyber security”. I touched on a few of the most common cyber security vulnerabilities and mentioned open-source software that gets downloaded onto systems. A gentleman stood up and said to me, and the crowd, “My office has a policy that forbids any open-source applications on our network. It is not allowed and no one, and I mean no one, will put any open-source software on my system.” I responded that is one way to handle it. If you proactively forbid open-source, you can be fairly certain you have eliminated any open-source vulnerabilities. That is, however, very short-sighted. Many great solutions reside in open-source applications. The vulnerabilities can be addressed and can significantly increase development efficiencies.
About an hour later, the next presenter discussed a complex calculation that this organization would face from time to time. The same gentleman who absolutely forbid open-source software, stood up again to let the crowd know that he had found an excel spreadsheet on line that would do these calculations for you. All they would need to do was download it and enable the macros. He proudly let them know that the “macros are already written.” I simply put my face in my palms. He didn’t understand that macros in excel are software. He didn’t realize that downloading excel and enabling the macros does present an open-source/3rd party vulnerability – a greater vulnerability than a vetted open-source application.
I would like to say that this gentleman and his organization is unique, but it isn’t. Most organization utilize open-source, over 75%, and rightly so. Why should you reinvent the wheel? If someone has written a module, or even a macro, that saves you time and effort, use it. BUT… make sure it is safe. Make sure it does not create risk and vulnerabilities for you. It might save you time creating it, but if it allows a cyber-criminal to exploit you and your systems, it was not a time saver.
The solution — Know what open-source or 3rd party software is on you network and remove or update any that present vulnerabilities. The issue is finding those vulnerabilities. Scanning tools can find software that is out of date, has vulnerabilities, or is otherwise detrimental to your systems. That will allow you to proactively update and remove the vulnerabilities before it has an opportunity to be exploited.
The secret – Keep your applications updated to the most current version. Watch for known vulnerabilities and exploit opportunities. I can assure you your cyber adversaries are watching and scanning your network for availability to exploit and profit from your vulnerabilities.
If you are unsure how to scan and update your open-source or 3rd Party applications, reach out to us. We can help.
https://resources.whitesourcesoftware.com/home/top-security-open-source-vulnerabilities-2019
https://www.zdnet.com/article/vulnerabilities-in-popular-open-source-projects-doubled-in-2019/
https://www.infosecurity-magazine.com/news/open-source-vulnerabilities/