back to article 'Set it and forget it' attitude to open-source software has become a major security problem, says Veracode

There's a minefield of security problems bubbling under the surface of modern software, Veracode has claimed in its latest report, thanks to developers pulling third-party open-source libraries into their code bases – then never bothering to update them again. "The vast majority of today's applications use open source code. …

  1. Lorribot Silver badge

    With Windows you have a centrally managed OS, but many people install the odd utillity or find stuff packaged in by the main software and hidden in theapplications main program folder (Java, Tomcat, python, WinRar, 7-zip, a Chrome add on from the store because it synched your profile....) then completely forget about it and never update it or don't update the application. So when you have this mentatility applied to an OS you are so going land the brown smelly stuff at some point.

    With out mechanisism to maintain all these odd bits of stuff and libraries etc and some decent reporting tools you have not got a hope.

    Companies don't understand that just because Linux is free to install no OS is free to manage and maintain. Linux is probably more complex in this regard than Windows or other Unix type OSes as it so customisable and the installable applications often have many open source components that you need to keep on top of.

    1. Anonymous Coward
      Anonymous Coward

      I find keeping a Linux system up to date not really a challenge as package managers do a good job of picking up and installing updates.

    2. Halfmad

      This is just vulnerability management though, doesn't matter what OS or application it is - the same methodology can work fine.

      It's not even a Windows V Linux discussion point tbh.

      1. Yet Another Anonymous coward Silver badge

        >doesn't matter what OS or application it is

        Except a Linux open source application is more likely to link to a system shared library which will get security updates.

        How often do you go through all the closed source commercial apps on windows to check what static libs they were built with and what vulnerabilites those have ?

        1. Anonymous Coward
          Anonymous Coward

          I don't. I use a management suite to do it for me.

    3. Charlie Clark Silver badge
      Stop

      FreeBSD has had update services for decades. It also, handily, has always separated the OS from "userland" meaning that the OS happily chugs along with only necessary updates and is less likely to be brought down by various userland packages.

  2. Anonymous Coward
    Anonymous Coward

    At work, we recently made a stronger commitment to ship new releases with no known vulnerabilities. After the first release had gone out, I scratched beneath the surface (I didn't do this earlier because I'm in support, not development) and then had to break the disappointing news that there were quite a few old copies of OpenSSL lurking around that they had simply been unaware of. The good news is this was taken very seriously and we're now ensuring we have even more thorough scans to catch this in future.

  3. HildyJ Silver badge
    Linux

    Attitude

    Set it and forget it is an attitude that goes well beyond open source.

    How many Oops moments that ElReg has reported on can be summarized as 'this changed but we forgot to change that'?

  4. Claverhouse Silver badge
    WTF?

    The Solution is Simple for Those who Mislike Open Source

    Just don't use it.

    1. Snake Silver badge

      Re: The Solution is Simple for Those who Mislike Open Source

      Open source is not the problem, the belief that open source is an ultimate solution is. If "Linus' Law" was real, then Shellshock and iSCSI, et al, wouldn't have happened.

      https://www.csoonline.com/article/2689233/shellshock-proves-open-source-many-eyes-wrong.html

      The problem is the attitude taken by all too-many F/OSS advocates that theirs is the better solution simply because it IS open source. As the linked article, and the actual discoveries of long standing vulnerabilities prove, one must make belief and words congeal into demonstrable actions, it is not enough to say the security model is better if no one is actually doing the auditing on the ground under the belief that everyone *else* is taking care of your problems.

      This post won't be popular, but it is true. OSS is still finding vulnerabilities that should have been discovered long ago under the belief system forwarded by Linus' remark. Yet, here we are.

      1. Adelio Silver badge

        It is not just open source

        Even in the propriety world there can be issues.

        We started a project with VB .net 2. and used some third party controls.

        Two years later we are still developing it, not released and everything is out of date. .net 3, new version of the controls. Thing is change anything and there is no guarantee it will all still work.

        It requires more work to validate the new versions, that all takes time...

        1. bombastic bob Silver badge
          Meh

          Re: It is not just open source

          Python tries to solve the "3rd party component" problem with pip and virtual python environments.

          It does not always work, however... (my experience dealing with DJango a few years ago proves this)

          [I had to mirror a broken DJango system onto multiple Linux platforms in order to fix it, and "bleeding edge" version of some things just outright failed on some systems, but worked on others. Go fig.]

          1. LDS Silver badge

            Re: It is not just open source

            The problem with venvs is they don't get automatically updated. Especially when people create them copying Python executables to avoid changes. And anyway they are stuck in the version of Python you create them from.

            Vens are just a workaround to solve the "modules hell" that Python was able to make even worse than Windows "DLL hell".

            Moreover even with PIP many people fix a library version because many breaks backward compatibility as they like.

        2. Potemkine! Silver badge

          Re: It is not just open source

          with VB .net

          The original sin lies here.

      2. Anonymous Coward
        Anonymous Coward

        Re: The Solution is Simple for Those who Mislike Open Source

        The real problem is using code and expecting not to ever have to maintain it. If corporate use of open source was done. even reasonably, they would allocate developers to track external code and even push patches upstream when possible.

        This feedback loop is how open source works, not "use it because it's free, then blame the project for your unmaintained copy".

        1. AntoniaChristina

          Re: The Solution is Simple for Those who Mislike Open Source

          So, isn't that the nature of the corporate beast? Stretching staff too thin, and telling them to drop patching because there are better things to do, and it could break something. Honestly, anyone in IT for over 10 years could see this coming.

      3. Anonymous Coward
        Anonymous Coward

        Re: The Solution is Simple for Those who Mislike Open Source

        This is problem of software development in general. Using a propriety 3rd party library that's a "here be dragons" affair, has the provider audited their code? probably not, do they care? probably not, the same might equally be true for the OSS code too.

        Linus' point is still true many eyes make all bugs shallow, problem is you seldom have many eyes and considering software is a constantly moving target its not surprising bugs get missed or vulnerabilities are not found, only an idiot checks their own work after all, but sometimes there's no other way (sadly) at least with open source should you want to, you can test it, as time is the enemy we don't bother.

    2. richardcox13

      Re: The Solution is Simple for Those who Mislike Open Source

      Do you think commercial components get regularly updated?

      1. damiandixon

        Re: The Solution is Simple for Those who Mislike Open Source

        From my experience most commercial libraries don't get updated either and given that you can't see the source you can't check nor fix either...

        1. LDS Silver badge

          Re: The Solution is Simple for Those who Mislike Open Source

          Most commercial libraries are regularly updated - but not all the updates may be free - you may need to upgrade the library and pay the upgrade price, something come developers may not be willingly to do and keep on using older, non secure versions.

          Many libraries also come with source code - not open source, of course - so you can fix issues yourself if you're able and have time. That's again something you may need to pay an additional price to get.

          I always got my libraries with source code for that reason - developers who are cheap will deliver cheap code, it's inevitable.

      2. veti Silver badge

        Re: The Solution is Simple for Those who Mislike Open Source

        I've been saying for years that "maintenance" is by far the largest and most lucrative part of the software lifecycle. A company that neglects to maintain its own commercial products - is pissing away its best asset.

        A lot of software engineers hate to admit this (because maintenance is both boring and hard, much harder than writing sexy new code), and I expect to attract the usual downvotes from those people. But it's true.

      3. AntoniaChristina

        Re: The Solution is Simple for Those who Mislike Open Source

        Yeah, but Open Source doesn't come with deep pockets to pay off a lawsuit the way a larger software company does.

  5. Claptrap314 Silver badge

    Just this week

    I was looking for an implementation of Raft (in ruby) that I could modify for my special requirements. All depended on dead projects.

    I plan to do an implementation with 0 dependencies outside the standard library simply for this reason. I'm not going to make someone depend on my dog's fleas just because it allows me to ship something a bit faster.

    Businesses need to be forced to recognize the business risk of relying on software without a support contract.

    1. Dan 55 Silver badge

      Re: Just this week

      They're happy enough to include open source projects, but contributing to them is always a problem due to project hours or whatever their legal department says, and even the simple task of keeping open source components up-to-date seems to be too difficult too.

      1. fidodogbreath Silver badge

        Re: Just this week

        Like everything else in the world, freeness -- beer or libre -- isn't free. This issue is just another example of the foundation of economics: "There's no such thing as a free lunch."

        Edit to pre-emptively add: This statement is NOT a knock on open-source software in any way. It's just recognizing that nothing is without cost.

  6. Anonymous Coward
    Anonymous Coward

    OSS & management & bottom line...

    From my experience the problem is the bottom line and management (previous company)...

    I've been blocked from updating libraries the main company product was dependent upon due to cost at every release that I asked for a budget for.

    The result was me not asking to update OSS libraries and just doing it as part of the release.

    Updating commercial libraries was a non starter due to the huge upfront cost to pay the other party... I always asked but only ever updated if we really really needed a fix...

    Updating anything out side of a release was a complete non starter... Again cost and management. A release was at best every couple of years...

    Management never allowed me to push fixes back to OSS libraries. I did push quite a few in my own time and I always raised a bug report with more than enough detail but I had to be careful due to one of the directors continually doing searches for submissions... If anything this attitude made it more painful when updating libraries as we had to check and apply additional patches...

    Personally I believe that commonly used OSS libraries are of huge benefit to developers and businesses. Developers should be encouraged to contribute fixes as it helps with thier development as a developer and saves the company money in the longer term. Companies should be encouraged to contribute back to projects they use as it's IMHO money well spent and is good for marketing...

  7. Binraider Bronze badge

    I think this is disingenuous to call out open source as the source of set it and forget it. Traditionally licensed software sees the same, and you never get to update unless the developer sees fit. At least with open source, it’s an option for anyone.

    What if your library of choice is discontinued too. That’s a full respec and redo in many cases.

    1. LDS Silver badge

      There's a difference - when you have to pay for libraries you use a smaller set and often want to use what you're paying for, including latest releases. Also, commercial libraries may care more about backward compatibility and breaking changes.

      With FOSS some applications are really a great bunch of libraries cobbled together somehow - after all everything is free and people look for libraries even for the smallest and easy to write code. This mishmash soon becomes very hard to properly maintain, as each library should be tracked (some are updated regularly, other seldom, a few never), updates checked for security fixes, and when new versions introduced everything need to be re-tested (good if you have automated tests - not so good otherwise...)

      and if the libraries themselves don't have a proper management and the next version may breaks your application because FOSS developers may not have the will and resources to keep updates different versions.

  8. Flat Phillip

    Distributions help here

    A lot of the distributions frown upon having "embedded libraries". That is where you have your program in a package and it brings its own special version of libssl or something else along with it.

    It's not 100% perfect but when there is a vulnerability for a particular library once it's updated it is done; no need to work out where else has this same library that will also need updating.

    It doesn't work too well with modified libraries where the binary maintainer has their own special version with modifications they added to the library. Generally this is a bad idea as there are better ways of getting the same outcome.

    1. Charlie Clark Silver badge

      Re: Distributions help here

      Debian has been caught with its trousers down a couple of times for just this reason and RedHat will happily sell you a dead and unmaintained cat. Good luck with redress on anything they provide.

    2. Claptrap314 Silver badge
      Stop

      Re: Distributions help here

      What guarantees do I have that the updated library doesn't break my dependent application? None? Well, okay then, let's do this!

      NOTHING about a shared library implies that its updates won't break dependent functionality. If this were not the case, we could forgo functional tests after the initial releases.

  9. Anonymous Coward
    Anonymous Coward

    Risk assessment

    The key is in risk assessment when using FOSS in your end product - it should be part of your design choice on forehand (so before you start).

    I did this once - big mistake ... management considered the risk assessment (vulnerabilities, support issues, future upwards compatibility and (in)compatible FOSS licenses to name a few) totally not our problem, just get the product shipped to the customer. The approach chosen was "we solve the issue when it arises".

    I do not work there anymore, so if the shit hits the fan I will not be around to clean up their mess.

    AC for good reason.

  10. steelpillow Silver badge
    Mushroom

    Cast out the beam from thine own eye

    Before pointing out the speck of dust in the Open Source eye.

    FUD is soo last millennium.

    1. naive Silver badge

      Re: Cast out the beam from thine own eye

      Weird, the author moans about Open-Source insecurity, while all the headline Ransomware attacks are on Windows platforms, is he implying MS uses outdated OSS libraries ?.

      1. Potemkine! Silver badge

        Re: Cast out the beam from thine own eye

        Linux Ransomware: Famous Attacks and How to Protect Your System

        Complacency is the first step to failure.

  11. 101 Not Found
    Coffee/keyboard

    Veracode are tr0lling us right? Like closed source software doesn't bundle lots of unmaintained libraries right? At least using the Linux model all libraries are located and updated centrally ... not so Windows

    1. veti Silver badge

      To an extent, just about every article you see on El Reg (and every other trade-related news outlet) is somebody trolling us. In this case, Veracode [who? - Ed] has done a study for its own purposes, and decided to release the findings in the hope of drumming up business for themselves.

      The difference between open and closed source in this context is about your relationships. Closed source comes from an identifiable vendor, if they're shipping shit you can do something about it (complain privately, complain publicly, take legal action, shift vendors, stop paying them, whatever). Open source doesn't allow for any of those remedies, the only thing that "works" is to fix it yourself - at unknowable cost, and then you have a potentially difficult choice about whether to fix the source library (so that your competitors can also benefit from your hard work) or not (so that your version becomes forked, and you won't benefit from anyone else's fixes even if they do happen).

      1. matjaggard

        We used Veracode at my previous job. It's fine, not good but not awful either.

        It is *completely* shocking that a study by Veracode tells us that using a tool like Veracode is worthwhile though. I can't quite believe we'd be reading it if the study had found that everyone keeps their dependencies up to date without a security tool.

  12. trevorde Silver badge

    Fix one thing, break two others

    Just an update from down in the trenches:

    Updating a third party library, for whatever reason, brings in the risk of regressions. Retesting the software is time consuming and expensive, so updating is avoided.

    Quite often APIs also change, so it can be a large engineering effort to reintegrate libraries (I'm looking at you: React, .NET, Swashbuckle ...)

    1. matjaggard

      Re: Fix one thing, break two others

      Automate your tests properly and then it's much easier to keep your dependencies up to date. It's not easy or cheap (unless you do it from the start, when it is cheaper) but it is essential.

  13. HammerOn1024

    So here's the thing

    There are two big inertia drivers here, one from the business side of the house and the other from Engineering. From the business side it's; If we don't get reports it's broken, it's not broken, so no money to check if it's broken. From the engineering side, it's the usual variation of; If it ain't broke, don't fix it. The engineers are not given the time to check, see the business rule, and the business folk have profit blinders on.

    So until the company CEO gets a knuckle ball to the head, nothing is going to change.

    The only thing to keep in mind then is: What color is your parachute?

    1. matjaggard

      Re: So here's the thing

      There are some big businesses for whom that's true, but still they use tools like Veracode (cheaper and better tools may be available, it's not great) are used and issues found have to be fixed by a date or an exception signed off. It's not an unusual way of working by any means and it decreases that inertia you describe.

  14. Blackjack Silver badge

    Is not just open source

    Heck take a lot at Windows 10 and see how many things have not been updated in ages.

  15. This post has been deleted by its author

  16. Charlie Clark Silver badge
    Coffee/keyboard

    "Open source is indeed like gravity today…"

    Mrs Brock owes me my lunch!

  17. cschneid

    diagnosis

    When something bad happens software-wise, the first question asked is often "What changed?" This has been going on long enough for "Changes break things" to become an aphorism (it doesn't follow logically, but that's folklore for you). Which led to, "If we make no changes, nothing bad will happen."

    Except of course, "What changed?" is only one of the questions to ask; another is, "What didn't change that should have?" The latter has not yet entered the zeitgeist.

    And here we are.

    The sad truth is, changes too often result in something bad happening. Not making changes also too often results in something bad happening. Things are broken, and no one with the power to fix them has any interest in doing so as they make a tidy living off the current state.

  18. pomegranate

    Special to open source?

    From the article and my reading of Apple security news, I would say it's software in general. I'm prompted to update my Apple software for security reasons pretty regularly. I know people (won't say whom) who seldom or never update, on the theory that, "If it ain't broke, don't fix it."

    However, I don't know specifically whether programmers often use closed-source dependencies without regular updates. Which updates, of course, have their own attack surface.

  19. yetanotheraoc

    The light is better over here

    That's the old joke about the drunk looking for his keys under the streetlamp, even though that's not where he lost them.

    Veracode is selling a scanning tool, which pretty much won't work on closed source, except in the rare case that you can demand the sources from your vendor. So their target market is developers depending on open source? Also a pretty good punchline.

  20. Anonymous Coward
    Anonymous Coward

    outdated third-party libraries

    The issue with outdated third-party libraries was brought to the attention of the world by Moxie Marlinspike with his epic trolling of Cellebrite:

    https://www.theregister.com/2021/04/21/signal_cellebrite/

  21. Anonymous Coward
    Anonymous Coward

    Unless you are the son in law of the company president, and have a blank check for adding more IT staff as you wish, once you have a solution that works, you freeze it and move on, no matter if it is open source of proprietary. The only time you update is if it is unavoidable.

    After all it is cheaper to pay a ransom once in a blue moon rather than fully fund for years a large IT staff and pay for updates, and security audits.

  22. Anonymous Coward
    Anonymous Coward

    There are some situations where updates to libraries are problematic....

    1. Licensing

    Sometimes, updated versions of a particular module use a newer license with terms that are onerous to the client e.g. clauses which require publication of bespoke adjacent software.

    2. Time and cost of change

    Systems which are certified for safety of life applications typically cannot be changed without repeating part or all of the certification process, which can take a long time (from months to years) and cost a lot of money.

    I worked on a safety of life system for which the EC was paying the bills. Even the change of a single module would take many months to reach approval by the relevant regulatory authority. The EC require ownership of IP of the bespoke systems which they procure. Because of this, open source was banned in the requirements of the system but I spent a disproportionate amount of my time dealing with lawyers from all parties in procurements where suppliers had chosen to push some open source into the software they had supplied.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021