The Darker Side of Open Source Applications

By Venkatesh Sundar, CTO, Indusface

As the open source community continues to impact us in more ways than one, the influence is most likely to see an upward trend in the years to come. A staggering 60% of the websites today are part of the open source community.

The open source also provides a great platform to the consumers to use software without the hassle of obtaining a license and shelling out huge amounts of money to obtain them. A great example of an open source product is Libre Office.

Governments and Organizations are embracing the concept of Open Source Applications for the diverse and simplified solutions complemented by the cost effectiveness of the product. Experts believe that this is a dawning of a new era wherein the open source will be powering every giant corporation in the near future. With mobile, SaaS and Cloud, organizations will realize the ease of working on pre-existing codes and the advantage to fashion the same according to the requirements rather than starting from the scratch.

The Concern

Though none can deny the efficiency and the cost effectiveness of an Open Source Application, but the vast number of vulnerabilities that follow can’t be ignored either. An Open Source Application typically faces multiple vulnerability issues, no update or patch guarantee, minimal support, absent SLA and so on. 

Organizations tend to pick codes from an open source and then pilot the application according to the desired functionality, leaving room for a number of loopholes. Popular applications such as Zen Cart, WordPress and phpMYAdmin have had to face occasional cross site scripting issues in the past.

Moreover, the task of finding out vulnerabilities in an open source project is a gruesome task. Open source and in-house coders alike, are more involved the process of fixing the UI and UX bugs in order to enhance the functionality of the application rather than addressing the security issue. Also the shorter turnaround times and quick changes make the task more difficult

The Solution

Vulnerable web applications can have detrimental effects to the extent that it may not only compromise the organizations finances but also cause irreparable damage to the business process and the brand value. A severe data breach may lead to insecure customers questioning the entire security mechanism of the organization.

How does one address such issues then? Creating stringent open source usage policy along with app security testing seems to be the only logical solution.

1) Detection of Vulnerabilities

Regardless of the fact whether one has built a new application or has used unknown components in it, automated tools such as Web Application Scanner that detects and reports security loopholes come in handy when highlighting the vulnerabilities. Advanced options such as Dynamic Application Testing (DAST) that have been specifically designed to audit web applications and logically detect business vulnerabilities that cannot be detected through the automated tools are capable of penetrating the application manually and are backed by human intelligence greatly assisting in vulnerability detection.

2) Stipulate Adoption Policies

There is a growing need for the organizations of all statures to stipulate the adoption and usage policies of an open source web application and its components. Input and strong adherence of the set rules is important on the part of the management and the development.

3) Proactive Patching 

Developing patches continues to remain a major hindrance for most organizations. Research shows that on average most organizations take over 30 days to create patch for a single vulnerability. Websites remain vulnerable to data breaches during this period.

Although businesses are faced with the daily task of looking after other essential matters, rather than deploying every developer for a bug-fix race, it would be wise to patch vulnerabilities in real time with web application firewall. Unlike network layer firewalls, WAF’s have specially been created to safeguard the loopholes from attackers without any code change.

Companies across the globe have embraced WAF as the next layer of defense, which has the capacity to repair logical business flaws and restrict the attacks on basis of acceptable user behavior policies.

Intelligent Open Sourcing

Open source web applications are tools that can help an organisation save billions of dollars as well as provide diverse and simplified solutions. It has undeniably grown synonymous to coherence and flexibility, but the major loopholes that are accompanied with it need to be addressed too. Open source security is ultimately based on the measures an organization takes to safeguard the structure from risks and also the ability to reduce the attack attempts if the loopholes cannot be patched immediately.

Don't Miss ( 1-5 of 20 )