login code
When creating programs, developers often integrate pieces of code already written by someone, the so-called Open Source or open source code, into their applications or web services. With its help, programs such as constructors are assembled from components with different functions: open, close, save, send, etc.
However, this borrowing has a downside. Using someone else’s code it’s hard to pinpoint what other functions are out there besides what the author has declared. At the same time, there may be vulnerabilities among the options that are not declared in the code. By adding a problematic piece of Open Source code to the software, the receiving program automatically becomes vulnerable.
Up to 40% of Russian programs are created using OpenSource, as “socialbites.ca” at information security company Swordfish Security told. Experts got these figures after analyzing more than 300 projects of various Russian companies, mainly in the financial sector.
As a result of the analysis, more than 2.5 thousand vulnerabilities were found, of which more than 1,000 were critical, that is, remote action by potential attackers. On average, there were 22 vulnerabilities for each software product analyzed by Swordfish Security. For each development team – 79 problems.
“Such dangerous vulnerabilities potentially create opportunities for attackers to launch attacks. For example, a number of critical vulnerabilities found in libraries (set of code fragments – socialbites.ca) allow the execution of arbitrary code (including with a malicious function – socialbites.ca) on the server side, which can lead to its completion. give them the opportunity to compromise and penetrate the organization’s network,” says Yury Shabalin, chief architect of Swordfish Security.
According to him, among the vulnerabilities found in open source, they often encountered those that could cause a complete failure of the service and paralyze the work of a large organization. They also found open-source fragments that gave the author unauthorized access to users’ cryptocurrency wallets.
socialbites.ca provided similar data on other information security companies. For example, OpenSource is used in every second Russian application, according to Anton Prokofiev, head of technical interaction with customers of the Solar appScreener center at Rostelecom-Solar. By contrast, Evgeny Fedorov, director of development at R-Vision, suggested that the Swordfish Security data completely underestimates the scale of the problem.
“I think most software developed in Russia uses OpenSource borrowings to some degree,” he added.
Denis Korablev, Product Director of Positive Technologies, spoke similarly. According to him, every major program he knows uses OpenSource.
weakest link
Swordfish Security noted that the vulnerable open source is found in Russian products of various categories: mobile apps, desktop programs and more. However, they found loopholes in web services in the vast majority of cases.
“This, as a rule, is due to the large number of libraries used. After all, the more open source libraries are used, the more likely they are to have vulnerabilities,” said Shabalin.
Anton Kuzmin, head of the CyberART cyberthreat prevention center at Innostage Group, added that CMS systems (software for managing content on websites – socialbites.ca), databases and automation services for IT professionals are primarily at risk.
R-Vision’s Yevgeny Fedorov spoke similarly.
“Due to the specifics of the development tools and programming languages used, web projects are most susceptible to vulnerabilities in OpenSource libraries: websites, media platforms, online media, etc.
negative dynamics
Swordfish Security noted that the share of vulnerable OpenSource components in the network is growing steadily. But they call this growth natural.
“The number of libraries is growing – new ones are emerging, already existing ones are being updated, and a vulnerability can be created in any of them.
If you look at the statistics, there were more than 6 million new library releases last year and the total number of components available to be used exceeded 37 million.
At the same time, the number of downloads of various libraries exceeded 2.2 trillion in 2021. “With such growth and the number, it is not surprising that the number of vulnerabilities has increased in direct proportion,” Shabalin said.
A similar view is shared by Igor Kuznetsov, chief expert on information security threats at Kaspersky Lab. According to him, on a global scale, the problem of vulnerabilities in OpenSource components varies from year to year, but at an insignificant rate.
In contrast, Anton Prokofiev of Rostelecom-Solar noted that although open code does not have many more vulnerabilities, open code itself is used more often by Russian companies, and as a result, the vulnerability problem becomes more acute. According to him, this problem has become especially acute in 2022 – in large part because many foreign software vendors have left Russia, and it has begun to be replaced by developments based on open source.
“This is the main reason why the demand for Open Source and its penetration into the enterprise infrastructure landscape will increase exponentially in 2022. Following the OpenSource request, cases of deliberate distribution of vulnerabilities in OpenSource projects for political reasons began to emerge. “Significantly more incidents of vulnerabilities in OpenSource components have been recorded in Russia this year.”
At the same time, he noted that this year many Russian companies have implemented a strict moratorium on updating OpenSource – software components so that security vulnerabilities do not penetrate the software with updates.
In turn, Pavel Korostelev, head of the product promotion division of the Security Code company, added that the problem is exacerbated by the use of open source software in critical areas – for the sake of system performance, but at the expense of their security.
In conclusion, SwordFish Security noted that the possible harm from the use of vulnerable code in Russian software can be offset by more active participation in the development of agents in the field of DevSecOps, specialists whose competence is at the intersection of information security and programming. DevSecOps is all about balancing production processes between speed and security. As part of a study at SworsFish Security, they found that the continued involvement of DevSecOps experts in the development process allows them to be caught “halfway” of open source vulnerabilities and other issues during program creation.