Over two decades, open source components saved time and money for developers, emphasizing that it’s here to stay. Its influence in the software development Dubai industry is significant, being a preferable choice for Dubai-based businesses owing to its many benefits. However, despite these benefits, open source components still pose a big risk to enterprises when not maintained properly evident from this year’s Equifax breach. 

Researchers at Flashpoint Intelligence found that the cyber-criminals behind Equifax breach used password attacks against the Magento eCommerce platform to get access, and subsequently scraped credit card records and install malware. 

The incident raised many questions on open source security, even as enterprises use not just open source software systems but also productivity software. With Agile dominating many industry verticals, open source has become more valuable today with more developers joining the community every year. According to experts, a breach like this is not because open source software is less secure but rather due to improper maintenance. Even proprietary software aren’t immune to such attacks without maintenance. 

Open source security benefits

The rising demand for open source development services by enterprises also serve as a testament to the trust in open source security. Companies have no problems relying on major open source projects provided they are maintained properly by qualified groups. Except for smaller projects and libraries, open source security theoretically has more eyes looking at it, which is one of its security benefits considering the fact that many software do not even have communities behind them. 

Another major benefit of open source code is that if the company detects a problem, they can open the code and fix it immediately. If the code is proprietary, they will have to wait for the vendors to fix it instead. 

Why is there a security threat?

Many open source projects, especially small-scale ones, neglect scanning their code to identify potential security vulnerabilities. Synopsys, a company that manages Coverity Scan – a free service that scans open source code to find defects, scans over 750 million lines of open source code and found only about 1.1 million defects. 650000 of the defects have been resolved already. The company infers that the overall quality of the code has improved over the years.

A report from Black Duck Software, another company, stated that open source components are in use in over 96% of commercial applications today. 

So why is there a security threat? 

Even when it’s widely used, there are many misconceptions about open source. People seem to have a wrong notion that because of the open source nature, the libraries are constantly being reviewed by the community for security vulnerabilities. This isn’t always the case in reality. They will have to do code scans themselves just to be sure. 

Many projects lack mechanisms to detect and categorize vulnerabilities, and later resolve them. Due diligence here can go a long way. From a recent Synk survey of open source maintainers, it was found that 44% never had a security audit. Even in the top 400,000 public repositories in GitHub, only 2.4% actually had security documentation. Even if they manage to fix a problem, there is practically no way to alert all users of the old open source code.

Due diligence

For the Equifax breach, the attackers exploited a vulnerability in the open source Apache Struts. But a patch for this particular vulnerability had already been out by that time, and Equifax was not able to apply it in time. This gives a sound advice to enterprises to figure out a way to identify all instances of open source code in their environments and update the list regularly when patches come out. 

Removing vulnerabilities in the code would only be possible if the organization knows where they are. Enterprises in Dubai can get ahold of a reliable software development company in Dubai to do it for them if they cannot afford time and resources for the job. As for the developers, they will need to efficiently integrate vulnerability scans into the development process, which is much easier in an Agile ecosystem. 

The best approach is to implement measures to properly maintain every open source instance in the business ecosystem, and use current versions of open source libraries for projects. The enterprise should also have a team to analyze open source codes they use for vulnerabilities.