How to Minimize Risks with Open-source Solutions

Blog

Many organizations in various industries across the globe have invested in open-source solutions to reduce costs. These solutions are also attractive to commercial vendors since the use of open-source components reduces development costs and improve the time to market. These situations have resulted in approximately 3 in 4 organizations adopting open-source solutions.
As a result of the ubiquity of open-source solutions, [1] they have become attractive targets for cybercriminals who continue to find new ways to taunt and terrorize organizations and end-users. Based on the 2017 Trustwave Report[2], in 2015 and 2016 researchers discovered significant vulnerabilities in Zen Cart and Joomla, two of the most commonly used open-source web applications.For instance, a zero-day vulnerability was found in versions of Joomla (1.5 to 3.4). This allows an attacker to perform an object-injection attack against the Joomla database, leading to remote-command execution[3]. Although this and other vulnerabilities were successfully patched, there have been other security risks associated with these popular applications. Further, security flaws have been identified in several other open-source applications, such as:

While the debate ensues on whether open-source applications are more vulnerable than proprietary software, the harsh reality tells a story. Significant risks exist in various open-source solutions and this reality requires the attention of both vendor and end-user organizations. In 2016 for example,3,623 new open-source component vulnerabilities were reported, which averages close to 10 vulnerabilities per day, according to an open-source security study[6].Given the threat landscape, a similar pattern is likely for 2017 and 2018.

Given the above figures, organizations should adopt a proactive risk management posture in identifying and eliminating the vulnerabilities in open-source solutions. Accordingly, sound security controls and practices are crucial to minimize the risks to an organization’s data and information assets. These may include:

Wilson Consulting Group’s (WCG) offers a comprehensive application security assessment service that evaluates applications to identify vulnerabilities to minimize the risk of information leakage and cyberattacks.  This service also assesses whether the application behaves and interacts securely with its users, databases, and other applications.

Additionally, we offer a comprehensive suite of services, including support in cybersecurity training and development, cybersecurity policy development and riskassessment services.

WCG continues to work with organizations in various industries to identify the vulnerabilities in their infrastructure, and determine the best security solutions that best suit their environment.

[1]S.J. Vaughan-Nichols, It’s an open-source world: 78 percent of companies run open-source software, www.zdnet.com

[2]2017 Trustwave Global Security Report

[3]2017 Trustwave Global Security Report

[4]S. M. Kerner, How the Zealot Attack Uses Apache Struts Flaw to Mine Cryptocurrency, www.eweek.com

[5]www.heartbleed.com

[6]2017 Open Source Security & Risk Analysis – Black Duck Software.

Show Buttons
Hide Buttons