3rd Party Risk Management , Application Security , Business Continuity Management / Disaster Recovery

The Challenge of Open-Source Software Security

Patrick Dwyer Says Open-Source Software Deserves More Resources
Patrick Dwyer, Online Web Application Security Project

The Log4j vulnerability has underscored once again the widespread dependence on open-source software projects and the lurking risks.

See Also: Alleviating Compliance Pain Points in the Cloud Era

It has also brought into question whether software projects such as Log4j, which is maintained by volunteers with the Apache Software Foundation, deserve more attention and resources given the deep impacts a security problem can have.

"We're not talking about a large corporate vendor here supplying this component," says Patrick Dwyer of the Online Web Application Security Project, or OWASP. "We're talking about a small team of open-source software maintainers."

Enterprises and organizations are scrambling to figure out if software they're running uses the logging library. The remote code execution flaw found in Log4j could allow an attacker to extract secrets from a server or take it over completely (see: Exploiting Log4j: 40% of Corporate Networks Targeted So Far).

Part of the problem is that Log4j is in hundreds of thousands of software applications. Figuring out the risk and exposure has been a challenge.

Dwyer helps develop CycloneDX, which is a specification for creating SBOMs, or software bills of material, which are lists of third-party code and dependencies within an application or device. SBOMs would have conceivably helped organizations figure out the risk of Log4j-type situations since they'd have an accurate asset inventory, he says (see Supply Chain: The Role of Software Bills of Materials).

"We would have been in a much better state to be able to prioritize that initial response," Dwyer says. "A lot of people didn't even know where to start."

In this video interview with Information Security Media Group, Dwyer discusses:

  • The security challenges of open-source software projects;
  • Why some open-source software projects needs enterprise-level security evaluations;
  • How SBOMs can help organizations understand their exposure to vulnerabilities.

Dwyer is a member of the CycloneDX SBOM Specification Core Team and OWASP. He is also software developer lead for a government council in Queensland, Australia.


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.