In recent years, there has been a rapid increase in the adoption of open-source frameworks by organizations of all sizes. At the same time, the statistics around the vulnerabilities in open-source frameworks have got security admins to rethink the adoption of such open-source frameworks.
To counter these attacks, enterprises are turning to modern security practices like DevSecOps. Further, enterprises are operationalizing these practices using solutions based on deception technology.
Risks of Bugs & Vulnerabilities with Open Source
The infamous security breach of Equifax, which had impacted more than 143 million records of Tax-paying Americans, is one example of what bugs in open-source systems can do to any organization. The company statements revealed that a bug (suspected to be CVE-2017-9805 or CVE-2017-5638) in the open-source server framework Apache Struts was one key reason behind the record-breaking security breach.
The vendor had already patched the vulnerabilities in March 2017, but hackers exploited the bug two months later, between May-July 2017, to gain access to Equifax servers. Delays in patching the open-source vulnerability eventually resulted in a fine of over $700 million for Equifax.
The Right Approach towards Open-Source
In spite of the incidents mentioned above, a large number of developers would still argue (and which is somewhat true as well) that the benefits of using open-source frameworks still outweigh the associated security risks. The massive growth in open-source adoption also justifies such arguments.
The right approach towards the open-source frameworks is not avoiding them altogether, but to develop a system that can prevent the occurrence of such incidents by proactively finding and patching bugs before hackers exploit them. One good way of doing this is continuously following vendor websites to keep track of any updates, and applying the patches as when they are released. And this works well for popular products by renowned vendors.
For instance, Red Hat Linux is known for fixing more than 65% of vulnerabilities within one day of public disclosure, and they fix around 90% within 14 days. However, this is not true for all open-source application vendors. An estimate suggests that only 25% of open-source vendors notify their users of vulnerabilities, and just 10% of them indulge in additional activities like filing a CVE. And when there are several third-party open-source applications involved in any application, it could be tough to keep up with all the updates from all such vendors on an immediate basis.
Issues with Open-Source Dependencies
Besides the core application, open-source developers often have an affection towards various ready-to-use open-source packages (called dependencies), as it gives them control over the entire source code, as well as ease of availability and deployment. But this also increases the possible attack surface for the entire application.
Though this provides some level of automation, it remains restricted to the projects hosted on GitHub, and its effectiveness is limited to the configuration of alerts (weekly, daily, etc.), and how responsive each repository owner is.
How can Deception Technology Help?
Deception technology provides ways to boost the cybersecurity of an organization by providing additional layers of security (like the use of decoys), as well as proactive ways of defending against known and unknown threats. It works by developing several decoys or traps that mimics the genuine network elements of an organization.
When any adversary hits any decoy, notifications are broadcast to the centralized server, along with all the useful information that can help track and contain the breach. Tools and products that are based on this technology can also identify and analyze the zero-day and other advanced attacks in real-time, which can not be tackled using traditional security products.
Benefits of using Deception Technology
Using deceptive technology can help organizations defend against advanced and unknown threats proactively.
The Invisible Cloak of Security
The decoy infrastructure acts as an invisible layer of security, which can turn the tables on attackers. By breaching the decoy’s network elements, they would be under the belief that they have gained access to the internal environment will take next steps that would reveal their intentions.
At the same time, you get accurate alerts in real-time, through which you can keep an eye on their every move, gathering all possible information about their tactics, techniques, and procedures (TTPs), which can be further used to secure your environment by taking timely actions.
Reduced Risks and Efforts
The decoy elements of security produce real-time alerts along with rich and sufficient forensic data for detailed analysis. Such data can help filter out false positives, allowing security admins to save their time and efforts to focus on the actual problem.
Vertical and Horizontal Scalability
Automated alerts can help you eliminate the manual efforts required in operational tasks, enabling you to increase the levels of security across a wider periphery of the network. Deception technology can also provide breadcrumbs across a wide range of devices, including modern IoT devices as well as a legacy environment across the organization.
Practical Implementation – DevSecOps for Open Source
DevSecOps provides a way to operationalize deception technology for open-source software. DevSecOps helps attain built-in security across the entire DevOps supply chain, starting from requirement analysis to coding, to deployment and then continuous monitoring of the applications. Introducing security at the early stages of DevOps lifecycle can help minimize the vulnerable surfaces exposed to the outside world.
To begin with, you can consider using automated vulnerability scanning tools across various stages of the continuous integration and continuous delivery (CI/CD) process. There are several tools available for monitoring security and compliance, which can integrate with the cloud-based agile DevOps methodologies, and keep up with the fast release cycles.
Using open-source frameworks and components involves a huge risk of exposure, but still, the current positive trends about open-source frameworks provide hints about where the future is headed. To endure the challenges of open-source frameworks, you need to adopt DevSecOps. The method of integrating security should be seamless and agile to withstand the dynamic DevOps cycles without breaking it.
The selection of the right set of tools for automated open-source management can help in controlling the associated risks. Deception technologies are very useful in taking proactive, counter-measures against attackers. They are key to realizing the full benefits of open source tools and avoiding the associated risks.