Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Tools catch security holes in open source code

Maria Korolov | July 2, 2014
Given its prevalence, open source code is virtually impossible to avoid, but the proper steps need to be taken address its vulnerabilities.

But what about the unknown vulnerabilities? There are tools to help with that, as well.

One such tool is the Application Intelligence Platform from New York-based CAST, which can scan software for bugs and vulnerabilities and point out where the problems are located.

"In average application, there are 100 to 120 security vulnerabilities that we find," said Lev Lesokhin, senior vice president at CAST.

Common problems include SQL injections, where a hacker trying to break into an application will enter a database query instead of the requested data. This technique isn't anything new.

"But it's still the most common way that criminals get into the system," said Lesokhin.

According to the latest Verizon Breach Report, released in April, SQL injections were used in 80 percent of attacks against Web applications.

"One of the myths of open source software is that there are millions of eyeballs looking at the source code and fixing it," he said. "But that's true of only very few open source projects. The rest of it someone wrote something and put it out on open source."

It might have been written by an amateur, or someone who's moved on to something else and is no longer maintaining the software.

But it still could be useful code that could save a company developer hours, days, or even weeks of work.

"Any component you can think of, there's an open source example out there that you can reuse," said Lesokhin.

But one company is taking its code scanning technology right to the source to the open source projects themselves, that is. And since these projects are typically not well funded, the technology is available for free.

It's called Coverity Scan, and is provided in the cloud by San Francisco-based Coverity, Inc. It scans software for all the common types of security problems, including buffer overflows, cross-site scripting, insecure data handling, SQL injections, security misconfigurations, and illegal access to memory.

It originally began in 2006 as a public-private research project between Coverity and the U.S. Department of Homeland Security, and has been used to analyze some of the most important C and C++ open source projects, including Linux, Apache, PHP and PostgreSQL. Last year, Coverity Scan was expanded to include Java as well.

"They get the same platform as our customers get, but in the cloud," said Zack Samocha, the company's senior director of products.

The last few months have been hard for open source projects from a security perspective, he said.

"The Heartbleed issue was huge," he said.

However, there was a silver lining. The high-profile security problems drew attention to the need for better security screening of open source software.

"Over 400 new projects signed up for Coverity scans after the awareness of that issue," he said. "The open source community is maturing, and understands the need for these kinds of tools to be successful. They are making more sure that the quality is better and that the security is better."


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.