Interview: Why are open-source security vulnerabilities rising? Special
Open-source vulnerabilities are increasing, according to a new survey, that this presents concerns for businesses. But is enough being done? Not according to Guy Podjarny, CEO and co-founder of Snyk.
Open-source vulnerabilities in 2016 were bad, with an increase of 53.8 percent in relation to the number of security concerns. 2017 has been little better, with a 39.1 percent over last year.
There are multiple reasons for this, as drawn out in the Snyk annual ‘The State of Open Source Security’ report. To find out what companies and individuals can do better to protect themselves Digital Journal spoke with Guy Podjarny, CEO and co-founder of Snyk.
Digital Journal: How is the open source landscape changing?
Guy Podjarny: Open Source Software (OSS) adoption is growing at a mind-blowing pace, with millions of OSS components downloaded billions of times a month and more than doubling every two years. In addition, OSS is now heavily used in organisations big and small, by roughly 80-90% of commercial software developers.
DJ: What’s the current state of risk from open-source security vulnerabilities?Podjarny: The risk from OSS vulnerabilities is at an all-time high. The number of discovered vulnerabilities in such components grew by over 50 percent last year, and while OSS maintainers fix those issues within 16 days on average, they rarely audit their code. As a result, an average vulnerability takes 2.5 years to be uncovered.
Attackers exploit these vulnerabilities shortly after disclosure, equipping attack botnets with automated exploits within the day, and the Equifax breach best demonstrates the type of damage they can incur.
DJ: Is this level of risk set to increase into 2018?Podjarny: Unfortunately, yes. While well intentioned, OSS maintainers are ill equipped to secure their projects, paving the path to another record year of disclosed OSS vulnerabilities. These maintainers don’t have a good way of notifying users about such vulnerabilities, and so developers continue to use vulnerable components long after a fix is released.
DJ: How did you conduct your survey based on these problems?Podjarny: We reached out to developers through multiple developer-oriented publications, several open source foundations and social networks, gathering information from both consumers and maintainers of open source projects. We augmented this information with public data about vulnerabilities and open source activity, and further added insights from Snyk’s open source vulnerability database.
DJ: How much of this is disclosed to the public?Podjarny: Most of the information we used in this report is publicly available, and the rest is gathered into the report. We’re happy to share the raw survey data with any who asks, properly anonymized.
DJ: Where do most of the threats come from?Podjarny: Known vulnerabilities in OSS components are typically exploited using automated exploit tools. These are often used in attacks targeting specific corporations, but are most widely used in broad botnets. Since each vulnerability has many potential victims, a single exploit kit can successfully and efficiently compromise many companies.
DJ: Should maintainers of software carry out code audits more regularly and if so, how regularly?
Podjarny: While maintainers should try and audit their code at least annually, they often don’t have the tools or knowledge on how to invoke it. A more promising path for OSS security is to get consumers, often working in security conscious and well budgeted firms, to use their tools and expertise to audit the projects they use, and responsibly report the findings back – ideally even including a fix.
DJ: How can businesses ensure their systems are up-to-date?Podjarny: Businesses should understand they alone are responsible for securing their open source components. They should use automated tools that track their use of OSS and highlight known security flaws. Lastly, they need to put the tools and processes in place so when a new vulnerability is disclosed, they will discover and patch it faster than attackers can exploit it.
DJ: What else can businesses do to boost security related to open source?Podjarny: Developers within businesses often have better security expertise and tools than the unbudgeted OSS maintainers, and can use those to audit some of the OSS projects they use. Having more OSS consumers contribute security knowledge and findings back is the only way to scale open source security.
DJ: What other services does Snyk offer to businesses?Podjarny: Snyk helps developers use open source code and stay secure, using its vulnerability database and developer friendly tools to help businesses and OSS maintainers find and fix vulnerabilities without slowing down.
The Snyk annual ‘The State of Open Source Security’ report used data from a survey completed with over 500 open-source maintainers and users, Snyk internal data, information published by RedHat Linux and data gathered by scanning GitHub and package management registries.