While not stirring up the same panic as the Heartbleed bug or the more recent DROWN attack, any vulnerability in OpenSSL should cause a bit of a ruckus, if only for the fact that two-thirds of the internet employs the library. So if you’re using OpenSSL and you haven’t patched up yet, it’s time. Stop reading, download the updates – and then come back to read why you need to.
Read the full security advisory here.
If you’re not familiar with OpenSSL and you design, build or secure applications, it’s time to learn. Chances are, OpenSSL is implemented is one or more of your apps. OpenSSL is an open-source cryptographic library that implements the SSL/TLS protocols. The library is used to secure communications over email, web apps, VPN, and online as well as mobile communication and messaging applications.
Per the project’s wiki, OpenSSL is a tool that provides a library, called libssl, supporting SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols for client and server applications, a comprehensive cryptographic library, libcrypto, and a command line app that enables both testing of the SSL/TLS protocols as well as the creation and handling of certificates.
In short, OpenSSL enables millions of applications – and hundreds of millions, if not billions of people – to communicate securely. It’s widely popular, yet underfunded and low on consistent manpower. Call it the curse of open source projects. Here are some takeaways from this latest round of patches, and the more high-level takeaways on how we can improve on open source.
Open source has exploded in recent years due to several factors, including the higher speed of development and pressure to deploy apps faster, the higher quality of open source projects maintained by large communities, the independence from proprietary vendors, and perhaps the biggest reason: the savings gained by using already-built and well-maintained components.
Forrester analyst Jeffrey Hammond explained it well in Computerworld: “Companies get the ‘Lego blocks’ for free, so they can spend their time and resources building what they want in particular.”
When developers can use open source libraries for more standard parts of an app and use their manpower building the more intricate or customized areas, the organization wins by saving time and money, and the developers win by being empowered to build more critical areas of the app.
Yet, with open source, there is a caveat – there is really no such thing as a free lunch. This has a few implications, and we’ll discuss the need for both financial and development support for open source projects like OpenSSL. But for this point, it relates to the fact that open source comes with strings attached – security flaws open to the public for scrutiny…an attack. And the strings can be pulled by malicious attackers if your open source components are not properly secured.
It may not even be a flaw in the open source library itself; there may be security issues with the way a component interacts with your in-house code, or with how the component was implemented.
That’s why security testing is essential with open source, just like with your in-house code. With a Secure SDLC in place, both threat modeling and security testing, especially source code analysis, can be deployed to ensure that all your code is secure and that the possible threats to your app are documented well before the app is deployed for general use.
We’re still only two years past the Heartbleed fiasco, dubbed by ZDNet as ‘Open Source’s Worst Hour’, and while OpenSSL vulnerabilities went through a good cleaning post-Heartbleed, the importance of continuous monitoring of the open source components used in your apps can’t be overstated.
A WhiteSource study on organizations using open source projects found that in 2014, of 645 thousand projects researched, 33.8% were using open source components with security vulnerabilities – even though a full 95.7% of the vulnerable libraries used has newer versions that had mitigated the vulnerabilities.
The security of open source components – like any other piece of code – can’t be taken for granted; we need to learn from history. With organizations now relying on at least one open source component, managing the components you used should be done right alongside your in-house code.
<<Want help managing and securing your open source components? Check out Checkmarx Open Source Analysis (OSA) here.>>
The OpenSSL vulnerabilities announced this week were nothing unexpected. Flaws in the OpenSSL project are regularly announced and new updates are part of the norm. It’s not that OpenSSL is bad or shouldn’t be used; the opposite in fact, is true. OpenSSL has made encrypted communication a standard component of applications – an absolutely positive outcome.
Yet OpenSSL, like any open source project, is not a fortress. It has holes. It’s not perfect. There’s still work to be done in making it as secure as possible. And if your app is one of the hundreds of millions of applications using OpenSSL, you can help make it better, either by donating your time by reporting vulnerabilities your organization discovers or working in the community, or money – or getting your organization to do so.
Open source projects like OpenSSL are only as strong as the team of paid and voluntary developers working on it. If OpenSSL or another project has been fundamental in your apps, consider giving back. The more help from the community, the faster issues can be fixed – and the more secure projects that are part of the internet’s backbone can be.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.