Known Open Source Vulnerabilities in Reusable Software Components: a Golden Goose For Hackers

Why Open Source Components Might Be Hackers' Golden Goose
Table of Contents

Hackers love a good puzzle. Hacker culture is rooted in finding ways to improve on code, and unravel challenges with innovative workarounds or alterations.

However when it comes to the business of hacking a target, cyber criminals are all about finding the path of least resistance. As entrance points like the network and endpoints have become increasingly hardened with stronger security, attackers are continuing to focus on the application layer as their preferred point of entry.

Applications are an enticing target for hackers since they act as the interface for accessing data in an organization’s backend which can then be used for fraud activities or sold on the dark web.

According to the Global Risk Management Survey, 84% of attacks target the application layer, taking advantage of vulnerabilities that are built into the code. This means that hackers do not have to go through the process of finding an employee that is willing to click on a phishing link. It is enough to know where to look for the vulnerability, and carry out your exploitation to make the breach.

Embracing open source code reuse for better efficiency

Open source components, which comprise between 60-80% of the code base in modern applications, are a favorite target for hackers because they are available for use by developers to add into their own code, adding powerful features that they would otherwise have to write on their own. Reusable software components help to speed up the development process, giving development teams the ability to meet tight deadlines.

However, these reusable components that are taken from open source projects can also be risky if they are not managed properly, with developers checking that they do not have any known vulnerabilities. When vulnerabilities are discovered by security researchers in the open source community, they are published on a variety of security advisories and databases like the National Vulnerability Database. These entries include information about which versions of a component are vulnerable and how to carry out the exploit.

Despite all the hype surrounding 0-day exploits, hacker far and away prefer targeting open source components with known vulnerabilities because they can simply follow these security resources to get a list of what to target and how to carry it out.

Hackers know that a single open source component can be reused by millions of developers, and when a vulnerability is disclosed, will ping thousands of different applications to find the organization that has been too slow to patch. Code reuse can be a kind of “Golden Goose” for hackers, giving them exploits that can be used for breaching multiple targets, which can make for a serious payday if they are able to steal credit card numbers or other personally identifiable information (PII).

One of the most famous cases of such targeting of a vulnerable open source component is the Equifax hack which occurred back in September of 2017. Hackers targeted the credit rating agency’s web portal that was using a vulnerable version of Apache Struts 2, one of the very popular reusable software components for building applications, and stole the PII of over 145.9 million people.

How to manage reusable software components securely

Reusable components are a core part of software development that organizations must manage if they hope to keep their applications and data secure. This means using the right tools to make sure that developers are not using components with known vulnerabilities that can be easily exploited. Unfortunately, tools like Static Application Security Testing (SAST) do not cover open source components.

Only Software Composition Analysis (SCA) tools have the capacity to continuously monitor and alert on vulnerable open source components, providing development and security teams with the ability to always know which open source components they have in their environment and products. This visibility is essential when dealing with reusable components since it allows them to identify reusable software components that come from open source projects in real-time, matching them with the vulnerability information from the different security resources.

Automation is another key feature of an advanced SCA tool, giving admins the power to set policies for which levels of severity they are willing to allow for use or require permission to use, and which should be blocked from entry. By automating this process, it helps to reduce friction between development and security teams, catching risky code early to avoid more costly tear and replace ops before a release.

No more free lunches for hackers

Open source code reuse is a valuable tool that lets developers build on the work of others in the community, allowing them to focus on the proprietary parts of their code. Software Composition Analysis tools allow developers to choose components that are secure and meet their license policies, shifting left their security and compliance to give developers more ownership over the code.

As the rate of application development continues to rise at a rapid pace, organizations’ dependence on open source components will only increase, and hackers will have even more targets to try and breach.

By avoiding risky components, developers can stay a step ahead of cyber criminals, fixing their applications when new vulnerabilities are discovered and denying hackers the low hanging fruit that they would otherwise be able to pick from unpatched systems.

Manage open source application risk

Recent resources

Mend.io & HeroDevs Partnership: Eliminate Risks in Deprecated Package

Announcing an exclusive partnership between Mend.io and HeroDevs to provide support for deprecated packages.

Read more

All About RAG: What It Is and How to Keep It Secure

Learn about retrieval-augmented generation, one complex AI system that developers are using.

Read more

Cybersecurity Awareness Month: AI Safety for Friends and Family

This blog is for your friends and family working outside of the security and technical industries.

Read more