开源软件安全风险_3开源安全风险及其解决⽅法
开源软件 安全风险
Open source software is very popular and makes up a significant portion of business applications. According to , 99% of commercial databas contain at least one open source component, and nearly 75% of the codebas contain open source curity vulnerabilities.
开源软件⾮常流⾏,并且构成业务应⽤程序的重要组成部分。 据 ,99%的商业数据库⾄少包含⼀个开源组件,⽽这些代码库中有将近75%包含开源安全漏洞。
One of the major reasons why companies and developers choo to work with open source software is that it saves them from having to develop the ba capabilities themlves.
公司和开发⼈员选择使⽤开源软件的主要原因之⼀是,它使他们不必⾃⼰开发这些基本功能。
Oh, and open source software is free!
哦,开源软件是免费的!
别害怕英文Despite its advantages, open source software tends to have vulnerabilities that might impact your data and organization. In order to give you an overview of how open source curity risks can impact your business, we have listed the top three open source curity risks and ways to address them.
尽管开放源代码软件有其优点,但它往往具有可能影响您的数据和组织的漏洞。 为了概述开放源代码安全风险如何影响您的业务,我们列出了排名前三的开放源代码安全风险及其解决⽅法。
Before we dive into the article, let’s take a look at what exactly open source vulnerabilities are.
在深⼊研究本⽂之前,让我们看⼀下究竟什么是开源漏洞。
什么是开源漏洞? (What Are Open Source Vulnerabilities?)
Open source vulnerabilities are basically curity risks in open source software. The are weak or vulnerable code that allows attackers to conduct malicious attacks or perform unintended actions that are not authorized.
开源漏洞基本上是开源软件中的安全风险。 这些是脆弱或易受攻击的代码,它们使攻击者能够进⾏恶意攻击或执⾏未经授权的意外动作。
轻重倒置的意思
In some cas, open source vulnerabilities can lead to cyberattacks like denial of rvice (DoS). It can also cau major breaches during which an attacker might get unauthorized access to nsitive information of an organization.
在某些情况下,开源漏洞可能导致诸如拒绝服务(DoS)之类的⽹络攻击。 它还可能导致重⼤破坏,在此期间,攻击者可能会未经授权访问组织的敏感信息。
There are a lot of curity concerns when it comes to open source software. For instance, OpenSSL is an encryption library responsible for managing highly nsitive data transmission functions by a wide variety of internet-connected software including the software that runs some of the most popular email, messaging, and web rvices.
涉及开源软件时,存在很多安全问题。 例如,OpenSSL是⼀个加密库,负责通过各种与Internet连接的软件来管理⾼度敏感的数据传输功能,这些软件包括运⾏某些最受欢迎的电⼦邮件,消息传递和Web服务的软件。
You remember “Heartbleed”? Yes, that caud quite a stir! Yes, that was a critical open source vulnerability in a SSH library.
您还记得“ Heartbleed”吗? 是的,这引起了很⼤的轰动! 是的,这是SSH库中的⼀个严重的开源漏洞。
Similarly, another popular open source vulnerability was found in 2014 in Bash shell, the default command processor on many Linux distributions. It had an arbitrary command execution vulnerability that could be exploited remotely via rver-side CGI scripts on web rvers, and other mechanisms. This open source vulnerability is popularly known as “Shellshock.”
同样,2014年在Bash shell中发现了另⼀个流⾏的开源漏洞,Bash shell是许多Linux发⾏版中的默认命令处理器。 它具有任意命令执⾏漏洞,可以通过Web服务器上的服务器端CGI脚本和其他机制来远程利⽤该漏洞。 这个开源漏洞通常被称为“ Shellshock”。
前三⼤开源安全风险是什么? (What are the Top 3 Open Source Security Risks?)
Now that you have a fair idea about what open source curity risks are, let’s explore the top three open source curity risks that exist today and how you can mitigate the risks.
现在,您对什么是开源安全风险有了⼀个清晰的认识,让我们探索当今存在的三⼤开源安全风险以及如何减轻这些风险。
软件安全风险 (Software Security Risks)
Open source vulnerabilities, once discovered, can be a tempting target for attackers to exploit them.
开源漏洞⼀旦被发现,可能成为攻击者利⽤它们的诱⼈⽬标。
Typically, the open source vulnerabilities and the details about how to carry out the exploit are made publicly available. This enables hackers to gain all the necessary information they need to carry out an attack. Combine this with the widespread u of open source software, and you can imagine the havoc it creates when an open source vulnerability is found.
通常,这些开源漏洞以及有关如何利⽤此漏洞的详细信息是公开提供的。 这使⿊客能够获取进⾏攻击所需的所有必要信息。 将其与开源软件的⼴泛使⽤相结合,您可以想象发现开源漏洞时会造成的破坏。
One of the major challenges organizations face while addressing open source vulnerabilities is that tracking them and their fixes aren’t as easy as one might assume.
组织在解决开源漏洞时⾯临的主要挑战之⼀是,跟踪它们及其修复程序并不像想象的那么容易。
Since the open source vulnerabilities are published across a wide variety of platforms, it becomes difficult to track them. Also, locating the updated version, patch, or fix to address the curity risk is a time-consuming and expensive process.
音乐格言由于这些开源漏洞是在各种各样的平台上发布的,因此很难跟踪它们。 另外,查找更新的版本,补丁或修补程序以解决安全风险是耗时且昂贵的过程。
Once an open source vulnerability and its path of exploitation are published, it’s just a matter of time until attackers exploit them and hack into your organization. It is imperative that business integrate necessary tools and process to quickly address open source vulnerabilities.
⼀旦发布了开源漏洞及其利⽤途径,攻击者利⽤它们并⼊侵您的组织只是时间问题。 企业必须集成必要的⼯具和流程以快速解决开源漏洞。
漏洞宣传 (Publicity of Exploits)
Open source vulnerabilities are made publicly available on platforms like the , which is accessible by anyone.
开源漏洞在诸如类的平台上公开可⽤,任何⼈都可以访问。
ps渐变透明A famous example of attacks due to publicly available open source vulnerabilities was the major in 2017 where the credit reporting company had leaked personal information of 143 million people. This attack took place becau Equifax was using a version of the open source Apache Struts framework that had high-risk vulnerabilities, and attackers ud that vulnerability to their advantage.
由公开可⽤的开放源代码漏洞引起的攻击的⼀个著名⽰例是2017年的重⼤ ,其中信⽤报告公司泄露了1.43亿⼈的个⼈信息。 发⽣此攻击的原因是Equifax使⽤了具有⾼风险漏洞的开源Apache Struts框架版本,攻击者利⽤该漏洞来发挥⾃⼰的优势。
Such attacks on open source software not only cau data leakage or loss but also impact a company’s market reputation, valuation, and customer relationships. This, in turn, can impact your customer churn rate, retention rate, sales, and revenue. Dealing with the impact of a breach caud due to open source vulnerabilities can be a lengthy, and painful process.
对开源软件的此类攻击不仅会导致数据泄漏或丢失,⽽且还会影响公司的市场声誉,估值和客户关系。 反过来,这可能会影响客户流失率,保留率,销售和收⼊。 处理由于开放源代码漏洞⽽造成的违规影响可能是⼀个漫长⽽痛苦的过程。
许可合规风险 (Licensing Compliance Risks)
Open source software comes with a licen that allows the source code to be ud, modified, or shared under defined guidelines. However, the problem with the licens is that most of them don’t meet the stringent OSI and SPDX definitions of open source.
开源软件随附许可证,该许可证允许在已定义的准则下使⽤,修改或共享源代码。 但是,这些许可证的问题在于,⼤多数许可证都不符合开源的严格OSI和SPDX定义。路面不平
mp3合并
In addition to that, single proprietary applications often include veral open source components, and the projects are relead under various licen types, such as GPL, Apache Licen, or MIT Licen.
除此之外,单个专有应⽤程序通常包括⼏个开源组件,并且这些项⽬以各种许可证类型发布,例如GPL,Apache许可证或MIT许可证。
Organizations are required to comply with each individual open source licen, which can be quite overwhelming. Especially with the rapid development and relea cycle business follow along with the fact that there are nearly 200+ open source licen types that exist today.
组织被要求遵守每个单独的开源许可证,这可能会让⼈不知所措。 尤其是随着快速的开发和发布周期,企业随之⽽来的事实是,当今存在近200多种开放源代码许可证类型。
A of 1,253 applications found that about 67% of codebas had licen conflicts and 33% of codebas had unlicend software. Non-compliance with licens can put enterpris at the risk of legal action, impacting your operations, and financial curity.
对1,253个应⽤程序的发现,⼤约67%的代码库具有许可证冲突,⽽33%的代码库具有未经许可的软件。 不遵守许可证可能会使企业⾯临法律诉讼的风险,从⽽影响您的运营和财务安全。
您如何克服这些开源安全风险? (How Can You Beat The Open Source Security Risks?)
Next, let’s take a clor look at the solutions to the open source curity risks.
接下来,让我们仔细研究这些开源安全风险的解决⽅案。
建⽴安全第⼀⽂化 (Build a Security-First Culture)
Too often, developers choo to work with open source components bad on the functionality and programming language they need. While functionality is important, other criteria should also be included.
开发⼈员经常根据他们需要的功能和编程语⾔选择使⽤开源组件。 虽然功能很重要,但还应包括其他条件。
For instance, each individual component of a project may offer functionality, without the need to integrate the entire project codeba. This helps limit the number of open source software and helps simplify integration, remove curity risks, and reduce source code complexity as well in non-required components.
例如,项⽬的每个单独组件都可以提供功能,⽽⽆需集成整个项⽬代码库。 这有助于限制开源软件的数量,并有助于简化集成,消除安全风险并降低源代码的复杂性以及不需要的组件。
Open source software is just as likely to have curity risks as any other software, so it’s necessary that each component you choo to work with offers functionality and is cure.
开源软件与其他任何软件⼀样,都具有安全风险,因此,您选择使⽤的每个组件都必须具有⼀定的功能并且安全。
In addition to this, open source projects are usually focud on delivering new updates with new features for end urs. Due to time and budget constraints, enterpris pay less attention to curity and are more inclined to relea the update as quickly as possible.
除此之外,开源项⽬通常专注于为最终⽤户提供具有新功能的新更新。 由于时间和预算的限制,企业很少关注安全性,⽽更倾向于尽快发布更新。
However, companies should maintain a balance between the new releas while ensuring that the design, implementation, and code is cure.
但是,公司应在新版本之间保持平衡,同时确保设计,实施和代码的安全。
One of the most important things you can do is to inventory what open source software you u and track vulnerabilities that are associated with the libraries.
您可以做的最重要的事情之⼀是盘点您使⽤的开源软件,并跟踪与这些库相关的漏洞。
拥抱⾃动化和扫描开源软件中的漏洞 (Embrace Automation and Scanning for Vulnerabilities in Open Source Software)
Finding and fixing vulnerabilities in open source software is a big challenge in itlf. Companies need to find a way to detect all curity vulnerabilities in the open source code in their environments, update the list regularly, drive developers away from old, incure software components, and finally deploy patches whenever curity vulnerabilities are found.
在开源软件中查找和修复漏洞本⾝就是⼀个巨⼤的挑战。 公司需要找到⼀种⽅法来检测其环境中开源代码中的所有安全漏洞,定期更新列表,使开发⼈员远离旧的,不安全的软件组件,并在发现安全漏
洞时最终部署补丁。
One way to help combat this is to incorporate automated tools that help you continuously track your open source usage and identify curity weakness, vulnerabilities, fixes, and updates.
解决此问题的⼀种⽅法是合并⾃动化⼯具,这些⼯具可以帮助您持续跟踪开源使⽤情况并确定安全漏洞,漏洞,修复和更新。
Automation tools for open source software help identify which packages are being ud in which projects, what curity vulnerabilities they contain, and how they can be fixed. The tools often come with alerting features as well. If a vulnerability is discovered, notifications are nt to the concerned development and curity team to alert them about the newly found curity risks.
开源软件的⾃动化⼯具可帮助识别哪些包在哪些项⽬中使⽤,它们包含哪些安全漏洞以及如何修复它们。 这些⼯具通常还具有警报功能。如果发现漏洞,则会将通知发送到相关的开发和安全团队,以警告他们有关新发现的安全风险。
Integrating automation to scan curity vulnerabilities in open source software is especially important for large organizations, since it can be difficult to track and identify vulnerabilities in all of their source code that is in u.
在⼤型组织中,集成⾃动化以扫描开源软件中的安全漏洞尤为重要,因为要跟踪和识别所有正在使⽤的源代码中的漏洞可能⾮常困难。
Most enterpris are not even aware of their full inventory of applications they have, which makes them more vulnerable to cyberattacks due to unidentified vulnerabilities in the source code. A report says nearly have open source components with no development activity at all in the last two years.
⼤多数企业甚⾄不知道⾃⼰拥有的应⽤程序的完整清单,由于源代码中未识别的漏洞,这使它们更容易受到⽹络攻击。 ⼀份报告说,近具有开源组件,在过去两年中完全没有开发活动。
交叉训练您的员⼯ (Cross-Train Your Staff)
It’s not always easy or even possible to hire professionals who are experts in both development and curity. It is, however, possible to train your teams so that they can approach the issues from both ends. While it isn’t always easy to hold regular cybercurity awareness training for different teams, it’s critical for the overall curity of your projects.
聘请在开发和安全⽅⾯都是专家的专业⼈员并⾮总是容易的,甚⾄不可能。 但是,可以对您的团队进⾏培训,以便他们可以从两端解决问题。 为不同的团队定期进⾏⽹络安全意识培训并不总是那么容易,但这对项⽬的整体安全⾄关重要。
Enterpris should ensure that their developers have a general understanding of cybercurity, as well as the latest trends and updates. Your developers should be able to identify common curity issues that ari in open source code, if not fix them.
企业应确保其开发⼈员对⽹络安全以及最新趋势和更新有⼀般的了解。 您的开发⼈员应该能够识别出开放源代码中出现的常见安全问题,如果不能解决的话。
Similarly, the curity team should be involved in the development process from the early stages. Rather than making curity an after-thought, it should be a priority from the very beginning of a project.
同样,安全团队应从早期阶段就参与开发过程。 从⼀开始就应该将安全放在⾸位,⽽不是将安全放在⾸位。
Just as you analyze and track your development process, you should proactively monitor your curity efforts as well. Taking a proactive approach can go a long way in being prepared to handle open source curity risks.逍遥法外美剧
正如您分析和跟踪开发过程⼀样,您也应该主动监视安全性⼯作。 采取积极措施可以为应对开源安全风险做好准备。
最后的想法 (Final Thoughts)
Open source is an excellent model that can be found in many of today’s projects. However, to ensure cure open source code, you need to acknowledge the curity risks that come with open source software. You have to make sure that each of your open source components is delivering value to the project and are cure.
开源是⼀个很好的模型,可以在当今的许多项⽬中找到。 但是,为了确保安全的开源代码,您需要确认开源软件附带的安全风险。 您必须确保每个开源组件都在为项⽬交付价值并且是安全的。
Cypress Data Defen helps companies run curity audits and strengthen the overall curity of their projects by recommending the best curity practices.
赛普拉斯数据防御(Cypress Data Defen)通过推荐最佳安全实践,帮助公司进⾏安全审核并增强项⽬的整体安全性。
We help enterpris create a roadmap for releasing cure updates and provide open source support, scanning, monitoring, and provide solutions to safely and effectively leverage open source software. With Cypress Data Defen, organizations can gain necessary control over their open source components to mitigate open source curity risks while increasing their cost savings.
我们帮助企业创建发布安全更新的路线图,并提供开源⽀持,扫描,监视,并提供解决⽅案以安全有效地利⽤开源软件。借助赛普拉斯数据防御,企业可以对其开源组件进⾏必要的控制,以减轻开源安全风险,同时增加成本节省。
关于作者: (About Author:)
航空机务Steve Kosten is a Principal Security Consultant at and an instructor for the SANS DEV541 Secure Coding in Java/JEE: Developing Defensible Applications cour.
Steve Kosten是的⾸席安全顾问,并且是Java / JEE:开发防御性应⽤程序课程中SANS DEV541安全编码的讲师。
开源软件 安全风险