Open source software provides a unique set of security challenges. It’s one of the reasons that HP Fortify on Demand has partnered with Sonatype to help customers identify third-party and open-source software components, detect known vulnerabilities or license risk, and prioritize remediation. One thing that we believe at HP Enterprise Security is that no single tool will ever be able to solve all security challenges. Security needs to be a holistic process that utilizes as many sources of information as possible. This will be the first in a series of guest blog posts that details the relationship between HP Fortify on Demand and Sonatype, and how the partnership gives organizations an in-depth source of security intelligence to both identify and report on security vulnerabilities in widely used open-source software components.
While relying on open source software components is often the only way to get a project done, it can also come with significant security risks. Nothing illustrates the dangers of open source software quite like the Heartbleed vulnerability. At one point, it was estimated that 66% of web sites were impacted by this OpenSSL vulnerability. It’s not that there was significant active exploitation before the vulnerability details were released – research shows there wasn’t. However, it highlights the specific problem of communication. Open source developers have no way of knowing who is actually using their components. So when a vulnerability is discovered, details are released to both the attackers and security professionals at the same time (notwithstanding the few corporations like Facebook that got an early warning). That’s a recipe for disaster.
Obviously, that’s the most famous example of an open source software vulnerability. And while Heartbleed is still causing problems, what can arise from much smaller components can be just as troublesome, if not more so. At least with Heartbleed the issue was extremely well publicized. For smaller components, that might not be the case. That puts the burden squarely on security professionals to find and mitigate these vulnerabilities without relying on the developers of the components themselves. And that’s why we rely on Sonatype…to help our customers stay protected.
About the Author
Mark Painter currently serves as a Security Evangelist for HP Enterprise Security Products. In this role, he is responsible educating customers, security professionals, executives and other groups about the risks of security vulnerabilities and HP ESP security solutions. Mark has played an active role in the security industry since 2002 when he joined SPI Dynamics, a leading provider of web application security assessment software and services. Over the course of his career, he has been involved with product management and marketing, vulnerability research, and security blogging. You can follow his writing, security activities, and frequent travel via @secpainter.