Addressing open source security gaps [Q&A]

Organizations face significant challenges with open source security, primarily due to the rapid pace at which open source vulnerabilities are identified compared to the slower pace of remediation efforts.

This discrepancy creates a scenario where security teams are constantly trying to catch up, struggling against an ever-growing list of vulnerabilities that pose serious threats to their systems.

Despite being aware of these vulnerabilities, organizations often find it difficult to address them effectively due to several factors. We spoke to Itamar Sher, CEO of Seal Security, to learn more about the issue and how it can be addressed.

BN: What are the major security gaps organizations are encountering with open-source security today?

IS: One of the primary challenges is the sheer volume of vulnerabilities that exist across different business units, accumulating into millions of vulnerable instances. This overwhelming number, often referred to as vulnerability overload, makes it difficult to prioritize and address each issue systematically.

Compounding this challenge is the issue of incentive misalignment. The research and development (R&D) teams, who are tasked with remediation efforts, often lack the necessary motivation to carry out this work. Without proper incentives, the drive to undertake the complex and tedious process of addressing vulnerabilities diminishes.

The process of remediation itself is plagued with inefficiencies. A significant amount of time is wasted in just identifying the appropriate owner of a vulnerability and then providing them with the necessary guidelines for remediation. This bureaucratic red tape further delays the resolution of security issues.

Another issue is organizations face limited options. Typically, the only strategy available is to update the components that are vulnerable. While this might seem straightforward, the reality is far more complicated. The open source community, which many organizations rely on for their components, does not have a streamlined process for providing standalone security patches. This means that any security patching is entangled with other code changes, requiring developers to manually review each update to avoid potentially breaking their production.

Lastly, organizations, unable to patch transitive dependencies themselves, must rely on community efforts to address these issues.

The response from other security vendors to these challenges typically involves helping organizations prioritize vulnerabilities more effectively, in an attempt to manage the overwhelming number of issues. By focusing on prioritization, these vendors aim to shift the responsibility for patching onto the developers, while assisting security teams in identifying the right individuals for remediation tasks. However, this strategy often falls short. Even after deprioritizing a significant portion of the vulnerabilities, developers may still be overwhelmed by the remaining number, resulting in a backlog that continues to grow, further exacerbating the security risks faced by organizations.

BN: Open-source is not new. Have security gaps become more prevalent in the last few years?

IS: Yes, the security gaps associated with open source software have become more prevalent and pronounced for several reasons:

• Increased use of open source software: The adoption of open source by organizations of all sizes has seen a significant increase, driven by its flexibility, cost-effectiveness, and innovation. This widespread adoption has naturally led to an increase in the visibility and impact of its security vulnerabilities.
• Growth in complexity and interdependencies: Modern open source projects are becoming increasingly complex, with a web of dependencies where a single project may rely on hundreds of other libraries. Even when these are updated, they often contain breaking changes, leaving developers wary of upgrades. This complexity, coupled with legacy code often rife with old, vulnerable libraries in codebases that are no longer regularly maintained, has significantly escalated the challenge of tracking and securing every component.
• Evolution of the threat landscape: Cyber threats have become more sophisticated and targeted. Attackers exploit vulnerabilities in open source components, knowing that these can be present in multiple applications across many organizations. Moreover, 25 percent of open source vulnerabilities are exploited on the very day they're discovered, making the time to fix vulnerabilities critically important.
• Scaling beyond community support: The community-driven support model sometimes struggles to keep pace with security needs. While the open source community is very responsive and diligent, the sheer volume of vulnerabilities discovered can outpace the ability to remediate them promptly. Open source projects rely on community support for patches and updates, which can result in delays in addressing security vulnerabilities, especially in less popular or abandoned projects.
• Limitations of software composition analysis (SCA) and prioritization tools: More than 60 percent of organizations typically rely on SCA and prioritization tools to ensure timely updates and patches for third-party libraries. However, these methods often fall short of providing complete coverage. While they do offer valuable data, they frequently lack the capability to assist in the remediation process. Prioritization tools have been developed to provide a more focused list of critical vulnerabilities; however, resolving these issues remains a challenge.

BN: Is AI contributing to the problem?

IS: Yes, absolutely. AI enables hackers to write exploits for open source vulnerabilities at a much faster pace. The capabilities of AI systems to analyze vast amounts of data, learn from patterns, and automate tasks can be exploited by malicious actors.

They can use AI to identify vulnerabilities in software, particularly open source software, more quickly than before. This not only shortens the time frame to respond but also increases the efficiency and sophistication of cyber attacks. Consequently, while AI offers numerous benefits across various sectors, its potential misuse in cybersecurity represents a significant challenge, highlighting the need for robust security measures and application of AI technologies.

BN: Are there any best practices that organizations could put into action?

IS: As organizations continue to increase their security practices, the implementation of advanced tools, comprehensive training, and regular scanning becomes more critical. While the adoption of essential security tools like SCA and SAST is on the rise, it is not enough. An automated streamlined solution is necessary to keep pace with the constantly growing and evolving vulnerabilities and threat landscape within open source. The integration of SBOMs and adherence to security frameworks such as SLSA represent steps in the right direction. Nonetheless, the challenge of streamlining and expediting vulnerability management remains. With open source communities establishing new benchmarks in reducing time-to-fix metrics, there emerges a significant opportunity for a solution that not only maintains this momentum but also accelerates it.

BN: How does Seal Security help with this growing problem?

IS: Seal Security provides organizations with centralized control over the vulnerability patching process, eliminating the need for R&D team involvement. Offering standalone security patches in five programming languages, Seal Security ensures seamless and predictable remediation of vulnerabilities in direct and transitive dependencies, regardless of public maintainers' involvement. This enables security teams to respond immediately, reducing Mean Time to Repair from weeks to hours and significantly decreasing manual effort and technical debt.

Image credit: Yuryz/Dreamstime.com