This year has been the best of times and the worst of times for open source code and security.
On the one hand, the latest survey by Black Duck Software and North Bridge Venture Partners shows that 72 percent of industry professionals prefer open source software because it's more secure than proprietary solutions.
On the other hand, Heartbleed exposed a security flaw in the widely-used, open source OpenSSL encryption tool that affected more than half a million websites. Also this spring, TrueCrypt unexpectedly shut down, citing “unfixed security issues” on its SourceForge page, and a critical bug in Linux, GnuTLS, was finally exposed after having been undiscovered for more than 10 years.
Open source software is widely used in business – in webservers running Linux and Apache, in databases, in the Android operating system, in code libraries used by enterprise developers, and embedded into commercial software packages.
Avoiding open source completely is not an option, but blindly trusting the open source community to fix all mistakes is also problematic.
One solution is to use automated code-scanning tools to scan code for known vulnerabilities and common programming errors. Fortunately, the automated tools are getting better every year.
Trust, but verify
Over the past few years, more than 5,000 security vulnerabilities have been found in open source code, according to the National Vulnerability Database.
Ideally, a company would check each of these vulnerabilities against the open source software packages it uses, plus against the open source software used inside commercial packages, and even against pieces of code that their own programmers copied off the Internet.
“The reality is that developers every day cut-and-paste code from open source projects,” said Dave Gruber, VP of product management at Black Duck Software.
And large organizations are adding new open source software to their environments all the time, meaning that vulnerability checking has to be an on-going process.
“For organizations that do that manually, it gets very overwhelming very quickly,” said Gruber.
Black Duck Software, in addition to running an annual survey about how companies use open source, also offers software scanning tools that help companies find all the open source software, components, and even snippets that they are using, and then check them against the list of known vulnerabilities.
Its 1,400-plus customers include 27 of the Fortune 100, six of the top 10 investment banks, and seven of the top ten software companies. The company currently has more than a million open source projects in its database, Gruber said.
“We track all the major open source forges in the world,” he said.
Find new bugs before they bite
Finding and patching known vulnerabilities is important and is a critical first step to securing open source software.
But what about the unknown vulnerabilities? There are tools to help with that, as well.
One such tool is the Application Intelligence Platform from New York-based CAST, which can scan software for bugs and vulnerabilities and point out where the problems are located.
“In average application, there are 100 to 120 security vulnerabilities that we find,” said Lev Lesokhin, senior vice president at CAST.
Common problems include SQL injections, where a hacker trying to break into an application will enter a database query instead of the requested data. This technique isn't anything new.
“But it's still the most common way that criminals get into the system,” said Lesokhin.
According to the latest Verizon Breach Report, released in April, SQL injections were used in 80 percent of attacks against Web applications.
“One of the myths of open source software is that there are millions of eyeballs looking at the source code and fixing it,” he said. “But that's true of only very few open source projects. The rest of it – someone wrote something and put it out on open source.”
It might have been written by an amateur, or someone who's moved on to something else and is no longer maintaining the software.
But it still could be useful code that could save a company developer hours, days, or even weeks of work.
“Any component you can think of, there's an open source example out there that you can reuse,” said Lesokhin.
But one company is taking its code scanning technology right to the source – to the open source projects themselves, that is. And since these projects are typically not well funded, the technology is available for free.
It's called Coverity Scan, and is provided in the cloud by San Francisco-based Coverity, Inc. It scans software for all the common types of security problems, including buffer overflows, cross-site scripting, insecure data handling, SQL injections, security misconfigurations, and illegal access to memory.
It originally began in 2006 as a public-private research project between Coverity and the U.S. Department of Homeland Security, and has been used to analyze some of the most important C and C++ open source projects, including Linux, Apache, PHP and PostgreSQL. Last year, Coverity Scan was expanded to include Java as well.
“They get the same platform as our customers get, but in the cloud,” said Zack Samocha, the company's senior director of products.
The last few months have been hard for open source projects from a security perspective, he said.
“The Heartbleed issue was huge,” he said.
However, there was a silver lining. The high-profile security problems drew attention to the need for better security screening of open source software.
“Over 400 new projects signed up for Coverity scans after the awareness of that issue,” he said. “The open source community is maturing, and understands the need for these kinds of tools to be successful. They are making more sure that the quality is better and that the security is better.”
Coverity now scans more than 2,200 different open source projects, he said.
In April, Coverity released a report that analyzed code from more than 700 C and C++ projects, in addition to a sample of Java projects and anonymous enterprise projects – a total of more than 750 million lines of code. The analysis showed that, for the first time since the company began running the scans eight years ago, the quality of open source code has surpassed proprietary code.
Part of it may be due to the increased emphasis on fixing coding problems by the open source projects themselves. Linux, for example, has used the Coverity scans to reduce the average time it takes to fix a newly discovered defect from 122 days to just six days
Coverity is also used by companies internally. Customers include major brands like SAP, Air France, Comcast, Barclays, as well as nine of the top ten software companies and seven of the top ten aerospace companies.
“The amount of source code is rapidly increasing in size and yet we are maintaining consistent quality,” said Yoshinori Tsujido, staff manager for Mitsubishi Electric Sanda Works, in a statement. “I don’t know where we would be now if we didn’t use Coverity.”
According to IDC projections, the worldwide software quality analysis market exceeded $500 million in 2013, and will grow to $906 million in revenues by 2017, a compound annual growth rate of more than 15 percent.
“In the face of increasing numbers of highly public failures of business-critical systems, the urgency of attending to software quality analysis has never been more obvious,” said IDC analyst Melinda Ballou in a statement. “The crying need to improve corporate and developer hygiene in this area is clear.”
This story, "Tools catch security holes in open source code" was originally published by CSO.