The use of third-party code has become essential to software development. Available as open-source or off-the-shelf, this third-party code shortens production time and costs, while enabling developers to focus on client specific features. These pre-packaged bundles of code might seem like a boon, but they can lead to headaches, negative financial impact, and loss of client trust.
A $2 Million Payout
Polygon, a blockchain technology company, paid out a $2 million bug bounty for the discovery of a ‘double spend’ vulnerability. This flaw enabled malicious agents to double the amount of cryptocurrency they could withdraw up to 233 times by creating alternative exits for a single burn transaction.
Where did this vulnerability come from? Gerhard Wagner, the ethical hacker who uncovered the flaw, proposes that it came from third-party code found in the Plasma network. He figures the code was used without the developer “having a 100% understanding of what it does.”
Vulnerabilities in open-source code isn’t uncommon, and more than a few have made it on the news in the past decade. The existence of top-ten lists for vulnerabilities by year suggest a certain ubiquity.
Zero-Trust. Unless It’s Code You Found on GitHub
Unmoderated reliance on third-party code isn’t a new problem. Back in 2015, a survey by Black Duck Software – acquired by Synopsys in 2017 – found that 78% of those surveyed said their organization uses open-source software to run some or all of its operations. 66% of those surveyed said that software created for clients was also built on open-source software.
Today, the percentage of commercial software that uses open-source code is estimated at 99% according to the 2020 OSSRA report from the Synopsys Cybersecurity Research Center. Shockingly, the report also estimated that, as of 2020, 91% of codebases “contain components that were more than four years out of date or had seen no development activity in the last two years.”
This report should strike fear into the heart of even the most grizzled CISO, COO, or IT manager. How many organizations keep a well-documented database of all the third-party software used by their daily operations? An organization might utilize hundreds or thousands out-of-the-box or in-house applications built on top of many more third-party components. There’s got to be a few meticulous folks out there, but the average cybersecurity or IT team doesn’t have the time, staff, or finances to sift through the existing third-party components without external pressure to do so.
What to Do?
So, what can an organization do to combat the potential unknown vulnerabilities lurking in the tangle of legacy software and unpatched applications? Get organized and automate. An all-in-one vulnerability management system like TOPIA can identify all of the applications in use across your organization, catalogue known vulnerabilities, and identify potential unknown vulnerabilities. Patches can be implemented manually or automatically to individual endpoints or across the entire organization. Increase efficiency while giving your IT and cybersecurity teams the support they need to succeed.
2017 SAFECode – Managing Security Risks Inherent in the Use of Third-party C