Open source application vulnerabilities are a hot topic in the modern information security discourse, mainly because of incidents like Heartbleed. Heartbleed was an interesting case not because it was an OpenSSL vulnerability but because of the unsuspected prominence of OpenSSL among the enterprise. OpenSSL actually has a history of vulnerabilities, dating as far back as 2003 when it was discovered that OpenSSL didn't automatically enable RSA Blinding.
In an article posted on SecurityWeek July 23rd sites a report published by Sonatype, it is reported that, "One in ten of the roughly 3,300 software developers, architects and application security pros who took part in the survey admitted that an open source component was, or it was suspected of being, the cause of a breach within the last year."
Furthermore, they contend that 43% of organizations don't have an open source policy. Of the 67% who do have an open source policy, 38% admit their open source policy doesn't include security. The article points out findings from 2014 Verizon Breach Report identifying applications as the leading attack vector in breaches.
Compounding the issue as the SecurityWeek article points out, "most developers don't track component vulnerabilities over time." Apparently only 40% of the survey respondents believe that the development department is responsible for tracking and resolving newly discovered vulnerabilities in existing production applications. Only 18% believe it's the responsibility of the application security department -- another 18% believe it falls under IT Operations.
This grey area of control and responsibility provides perfect cover for cyber criminals searching for ways to infect websites and mobile applications. The staggering increase in breaches point to the need for improved security in this area, which is a significant challenge leveraging standard controls designed to prevent malware from getting in.
That is why RiskIQ technology is designed to take an outside looking in approach to threat detection. Leveraging RiskIQ allows security teams to visualize their public facing threat landscape. They can understand how their assets inter-connect and determine which assets can cause the most harm if exploited. Because of this, internal investigators will know where to start looking if signs of breach are detected.
Open source software, Adobe, Javascript, etc. will always contain vulnerabilities and will always have cyber criminals looking to exploit them. Understanding assets that must be guarded & maintaining constant vigilance over them helps organizations focus their efforts and prevent those weaknesses from causing major harm.
