Open Source Libraries & Security Vulnerabilities

What are open source libraries?  

In the modern software development environment, open source code is publicly accessible, meaning anyone can see, modify and distribute it. Over the past decade, open source code has become more and more popular. Today, it’s used by companies of all sizes across all industries. The use of open source libraries is set to continue to soar over the coming years, as nearly all modern applications are developed using them. In fact, 99% of codebases contain at least some open source components – an increase of 259% over the past 5 years. It’s so widespread that many code owners aren’t even aware of all the open source components in their platform.

Why are open source libraries used? 

The use of open source components in the SDLC provides lots of ways for developers to save time when coding specific features. This, in turn, saves their companies money. It’s easy to see why open source code has become the basis for software development and one of the driving forces of innovation. In high growth industries in particular, such as E-commerce and Enterprise Software/SaaS, the past year saw growth in the number of open source vulnerabilities.

What are the problems? 

Despite these clear advantages, there are significant risks that developers face by introducing third-party, open source code into their applications. Open source code often has vulnerabilities which can significantly impact an organisation’s platform and data. These security risks, known as open source vulnerabilities, are often vulnerable code that can expose the software to malicious cyberattacks. As the use of open source libraries grows, so too do the risks associated with using open source code.

How common is open source code? 

According to the 2020 OSSRA report, which examines the results of more than 1,250 audits of commercial codebases, 75% of audited codebases contained open source components with known security vulnerabilities. Due to the open source nature of these libraries, the details of these vulnerabilities are publicly available. This means those with malicious intent have all the necessary information to carry out an attack. Such attacks have incurred huge costs for organisations, particularly those in regulated industries, such as financial services.

The prevalence of open source components with security vulnerabilities is increasing year-on-year. Many open source components, security libraries and web frameworks contain vulnerabilities and most Fortune 500 companies have downloaded and built applications based on these components. At Quality Clouds, over 60% of our customers’ ServiceNow instances included open source libraries in their codebase. Concerningly, over 90% of these had security vulnerabilities.

What can I do about it?

Organisations therefore face major problems addressing the security risks posed by the use of open source libraries. One of the primary challenges is detecting and tracking them and their accompanying vulnerabilities. Organisations globally struggle to detect, track and manage their open source risks. There are many open-source and commercial solutions that have been developed to help organisations to maintain an accurate inventory of open source dependencies within their software platforms. Keeping these inventories up-to-date is one of the main challenges faced by organisations trying to decrease their open source risk. Organisations need a way to locate all instances of open source code in their environments, and to monitor this list continuously.

Similarly, one of the key challenges Quality Clouds customers face is opening the ‘black box’ of SaaS; that is, gaining full visibility of everything that’s installed across their instances. The Quality Clouds platform carries out fully-automated, scheduled scans of our customers’ instances. This provides a full inventory of the platform, continuously tracking and monitoring what open source dependencies are present. Our 2021 ServiceNow Development Report showed that a very sizable percentage of the instances Quality Clouds scan use at least one open source library, with jquery and AngularJS being the most popular.

Another concerning fact is that, in several instances, the managers were unaware which open source libraries were installed. Some managers mistakenly believing none were present in their platform. Using an external code library without knowledge is definitely a problem. One of the most important ways to mitigate the open source vulnerabilities is to carry out an inventory of what open source code you use. Then you can track the vulnerabilities that are associated with these libraries.

Conclusion

Ultimately, open source code is an effective way of saving time and effort developing functionality. What’s clear is that the use of open source libraries in the SDLC is here to stay. Platform owners need to be mindful of the vulnerabilities associated with open source libraries and take steps to mitigate against these risks. A proactive approach to open source vulnerabilities can go a long way. This ensures your organisation is ready to handle any open source security risks.

Are you confident that your ServiceNow or Salesforce platform doesn’t include open source library dependencies with security vulnerabilities?

Book a demo with Quality Clouds to find out how you can remain on top of the issue.