• Home
  • News
  • Big Data & Analytics
  • DevOps
  • Security
  • GDPR
  • AI & ML
  • Women in Tech
  • Cloud & Infrastructure
  • CIO
  • Deskflix
  • Events
  • Whitepapers
  • Spotlights
  • IT Leaders 250
  • Research
  • Delta
  • Tech Marketing Hub
  • About Us
  • Newsletters
  • Sign in
  •  
      • Newsletters
      • Account details
      • Contact support
      • Sign out
     
     
    • You are currently accessing Computing via your Enterprise account.

      If you already have an account please use the link below to sign in.

      If you have any problems with your access or would like to request an individual access account please contact our customer service team.

      Phone: +44 (0) 1858 438800

      Email: customerservices@incisivemedia.com

      • Sign in
     
  • Follow us
    • Twitter
    • LinkedIn
    • Newsletters
    • Facebook
    • YouTube
  • Register
  • Events
    • Upcoming events
      event logo
      Deskflix Financial Services

      oin us for this episode of Deskflix to hear from industry experts and peers on their 2020 best practices, what they’ve learnt for 2021 and how they plan to overcome the next wave of disruption.

      • Date: 03 Mar 2021
      event logo
      Good listeners: Why conversational interfaces are now a must-have

      This webinar, featuring dedicated research, will explore how conversational interfaces can add value to your digital initiatives today. We discuss the benefits of putting the AI to work and the value of the conversational channel itself.

      • Date: 17 Mar 2021
      • Virtual Event,
      event logo
      Deskflix IT Leader's Summit

      Six months on from our inaugural IT Leaders’ Festival, Deskflix IT Leaders’ Summit is a chance to take stock and reflect on the first quarter of 2021. How did you overcome the obstacles of 2020? Was progression as expected? What were your biggest threats and biggest growth opportunities?

      • Date: 24 Mar 2021
      event logo
      AI & Machine Learning Awards 2021

      The Computing AI & Machine Learning Awards recognise the best companies, individuals, and projects in the AI space today. The awards cover every corner of the industry: security, ethics, data analysis, innovation and more, as well as showcasing the movers and shakers: the technology heroes and projects that deserve industry-wide praise. The winners will be announced in London on 1 July 2020. Entries are now open!

      • Date: 09 Jun 2021
      • TBC, London
      View all events
  • Whitepapers
    • LATEST WHITEPAPERS
      Darktrace 120x194
      Cyber AI Response: Threat Report 2019

      This white paper details 7 case studies of attacks that were intercepted and neutralised by Darktrace cyber defense AI, including a zero-day trojan in a manufacturing company's network. Learn how Darktrace Antigena AI Response modules fight back autonomously, no matter where a threat may emerge, extending to the Cloud, Email and SaaS.

      Download
      Darktrace 120x194
      Cyber AI & Darktrace Cloud

      This white paper explores how cloud is a security blind spot for many organisations who struggle with the limited visibility and control in this new environment, where their existing security tools are often not applicable.

      Download
      Find whitepapers
      Search by title or subject area
      View all whitepapers
  • Spotlights
    • Spotlights

      Welcome to Computing's Spotlight section, where we focus in on particularly important themes and topics of enterprise IT.

      Intel logo

       

      Endpoint Management and Security Hub

  • IT Leaders 250
  • Research
  • Delta
  • Tech Marketing Hub
  • About Us
Computing
Computing
  • Home
  • News
  • Big Data & Analytics
  • DevOps
  • Security
  • GDPR
  • AI & ML
  • Women in Tech
  • Cloud & Infrastructure
  • CIO
  • Deskflix
 
    • Newsletters
    • Account details
    • Contact support
    • Sign out
 
 
  • You are currently accessing Computing via your Enterprise account.

    If you already have an account please use the link below to sign in.

    If you have any problems with your access or would like to request an individual access account please contact our customer service team.

    Phone: +44 (0) 1858 438800

    Email: customerservices@incisivemedia.com

    • Sign in
 
  • Security

The open-source library security flaw problem

'If you pick any random PHP library it more than likely has a flaw,' says Veracode's Chris Eng

The open-source library security flaw problem
  • John Leonard
  • John Leonard
  • @_JohnLeonard
  • 29 May 2020
  • Tweet  
  • Facebook  
  • LinkedIn  
  • Send to  
0 Comments

Open-source code is more secure because with a thousand eyes on the code "all bugs are shallow", right? Wrong, says Chris Eng, chief research officer at security firm Veracode.

"This was a myth since day one," he said. "The problem is you don't have the right eyes."

Of all the eyeballs that pass over the code only a few have the required expertise to spot vulnerabilities. "You might as well have a room of English speakers reviewing a Russian manuscript," said Eng.

Which is not to say that proprietary software is necessarily more secure, just that the oft-quoted dictum can lead to complacency.

Open source has become hugely successful because of the culture of reuse. Why write something if you can take it off the shelf for free?

Which is great so long as the libraries - packages of functions and resources for performing a particular task - are secure, but unfortunately this cannot be taken for granted. Recent research by Veracode has found that libraries used by some languages, and the way those libraries are used, make them more vulnerable to attack.

The company scanned the components of 85,000 open source applications which included more than 351,000 unique external libraries and found that applications written in three languages popular with web development - JavaScript, Ruby and PHP - have particularly high rates of library usage.

veracode
Apps may have hundreds of dependencies. Source: Veracode

Some of these libraries are present in the vast majority of applications. More than 85 percent of JavaScript programs use the lodash library, for example, and the average JavaScript program incorporates hundreds of external libraries.

"More than any of the languages we've looked at, JavaScript encourages the creation and use of very, very, small libraries that do one task," Eng said.

Dependencies of dependencies

And it's not just the number of libraries. Many of the commonly used libraries are transitive, meaning they are dependencies of dependencies, making managing those vulnerabilities more complex. The languages found to have the largest number of transitive dependencies were JavaScript, Ruby, PHP and Java.

veracode
Transitive libraries. Source: Veracode

PHP is of particular concern. As a ‘language of the web', PHP libraries are also a popular way in for hackers, particularly those exploiting cross-site scripting (XSS), access control and authentication flaws.

"Chances are, if you pick any random PHP library, it more than likely has a flaw," Eng said. "It's such a common application for server-side web applications, so it's frequently exposed to a large threat community."

While PHP may not be adding new libraries at the rate of say JavaScript or Python (in which a flawed library is included with roughly every 10 libraries used in applications), the issue is that existing vulnerabilities are not patched fast enough, Eng said.

"Historically, we've found that PHP applications carry the most security debt of any language, so even though they aren't changing rapidly, flaws are very slow to be fixed."

But it's not just users of languages commonly used in web applications that need to take care. The study found that while applications written in Swift and Go use far fewer libraries, those libraries each tend to have multiple flaws. Unfortunately, PHP exhibits the worst of both worlds - a large number of libraries and a high density of vulnerabilities per library.

Of all the ten languages and frameworks studied, .Net came out the best for the lowest number of transitive dependencies and flaws overall.

Eyeballs aren't enough

Fortunately, most of the vulnerabilities found are minor and can be fixed with a simple upgrade, but this is easier said than done in applications that include several thousand libraries.

And while they are fewer in number, there are dozens of serious XSS and authentication errors in open source libraries that are open for exploitation, and new techniques for attacking them are emerging all the time.

Because the dynamics are always changing, and as transitive libraries are often included automatically by default, developer teams should keep abreast of the particular issues with their chosen languages, stay on top of the latest security alerts and make sure they apply updates and patches promptly, Eng said.

"Developers need to keep in mind that just because a library is ‘safe' at a certain point in time, attacks are always evolving, and new vulnerabilities may be discovered in the future; this is why continuous scanning of your open source components is crucial.

"Relying on humans to spot every security bug just doesn't scale with the pace of modern development, whether open source or closed source. You need a robust software development lifecycle (SDLC) with integrated tooling. Humans can augment that, but they shouldn't be the only line of defence."

  • Tweet  
  • Facebook  
  • LinkedIn  
  • Send to  
  • Topics
  • Security
  • Open Source
  • Developer
  • Ruby
  • php
  • Python
  • SWIFT
  • Golang
  • open-source software
  • application​ ​development
  • veracode

More on Security

Python is adding pattern matching syntax - but not everyone is pleased

Making changes to the popular programming language is not easy, says Steering Committee member Pablo Galindo

  • Open Source
  • 25 February 2021
Use these tips to stay safe online - in the pandemic and beyond
Here's how to stay safe online - in the pandemic and beyond

The coronavirus pandemic threw working lives into disarray, but we cannot afford to sacrifice security for convenience

  • Security
  • 22 February 2021
Thank Zuck it's Friday #3
Thank Zuck it's Friday #3 - Data adequacy, Darktrace and 'spy pixels'

Join the Computing team for episode three of the podcast that gives you the lowdown on the hottest tech news of the week

  • Privacy
  • 19 February 2021
North Korea targets Pfizer in vaccine hack
North Korea targets Pfizer in vaccine hack

South Korean intelligence says the attack was probably meant to raise money for its poorer northern neighbour

  • Security
  • 16 February 2021
The latest Computing podcast is here!
Computing Podcast Episode 2 - AI in Security, Favicon hacks and Multi Cloud

The Computing team expertly dissects the week's news, including the latest research on the top vendors in AI-enhanced security, how Favicons can be used to track you online, and whether Multi-Cloud is set to take over the world

  • Security
  • 12 February 2021
blog comments powered by Disqus
Back to Top

Most read

'Silver Sparrow' malware infects about 30,000 Macs worldwide
'Silver Sparrow' malware infects about 30,000 Macs worldwide
Google fires AI ethics lead Margaret Mitchell
Google fires AI ethics lead Margaret Mitchell
How advanced analytics and ML will drive your business into pole position
How advanced analytics and ML will drive your business into pole position
UK tech jobs surpass pre-pandemic levels, despite rising unemployment
UK tech jobs surpass pre-pandemic levels, despite rising unemployment
Facebook blocks news in Australia, PM describes the move as 'arrogant' and 'disappointing'
Facebook blocks news in Australia, PM describes the move as 'arrogant' and 'disappointing'
  • Contact
  • Delta
  • Marketing solutions
  • Enterprise IT Events
  • Incisive Media
  • Terms & conditions
  • Policies
  • Careers
  • Twitter
  • LinkedIn
  • Newsletters
  • Facebook
  • YouTube

im_logo

© Incisive Business Media (IP) Limited, Published by Incisive Business Media Limited, New London House, 172 Drury Lane, London WC2B 5QR, registered in England and Wales with company registration numbers 09177174 & 09178013

Digital publisher of the year
Digital publisher of the year 2010, 2013, 2016 & 2017
Loading