根据 Endor Labs 的一份报告,已知漏洞、合法软件包泄露和名称混淆攻击预计将跻身 2023 年十大开源软件风险之列。数字化转型网szhzxw.cn
根据该报告,其他主要的开源软件风险包括未维护的软件,过时的软件,未跟踪的依赖项,许可证风险,不成熟的软件,未经批准的更改以及依赖项不足/过大。
现代应用程序中几乎 80% 的代码是依赖于开源包的代码。虽然开源软件是现代软件开发的基石,但它也是软件供应链中最薄弱的环节,Endor Labs在其报告中表示。数字化转型网szhzxw.cn
由于开源软件按原样提供,没有任何形式的保证,因此使用它的任何风险都完全由用户承担。报告称,这使得这些开源依赖关系的选择、安全和维护成为实现软件供应链安全的关键步骤。
Endor Labs 报告涵盖了与开源组件相关的操作和安全问题,这些问题可能导致系统受损、数据泄露、破坏合规性并妨碍可用性。该报告包括20位行业专家的贡献,包括来自HashiCorp,Adobe,Palo Alto Networks和Discord的CISO。数字化转型网szhzxw.cn
一、三大开源安全风险
根据该报告,已知漏洞是与开源软件相关的最大风险。当组件版本包含易受攻击的代码(由其开发人员意外引入)时,就会发生此风险。Endor Labs报告称,如果已知漏洞被威胁行为者利用,则可能会损害相应系统或其数据的机密性,完整性或可用性。数字化转型网szhzxw.cn
导致 Equifax 数据泄露的 Apache Struts 中的 CVE-2017-5638 和 Apache Log2021j 中的 CVE-44228-4(也称为 Log4Shell)是已知漏洞的示例。
为了避免已知漏洞的风险,Endor Labs建议对开源软件进行定期扫描,组织应优先考虑调查结果以优化资源分配。数字化转型网szhzxw.cn
合法软件包的泄露是开源软件包含的第二大风险。攻击者可能会破坏现有合法项目或分发基础结构中的资源,从而将恶意代码注入组件。例如,劫持合法项目维护者的帐户或利用包存储库中的漏洞。SolarWinds网络攻击是合法软件包妥协的结果。数字化转型网szhzxw.cn
第三大开源软件风险是名称混淆攻击,其中攻击者创建名称类似于合法开源或系统组件名称的组件(域名仿冒),建议值得信赖的作者(品牌劫持)或玩不同语言或生态系统中的常见命名模式。
报告称,为了避免这种风险,组织需要在安装钩子之前和之后检查代码特征,检查项目特征,如源代码存储库、维护者帐户、发布频率、下游用户数量等。这种风险的一个例子是Colorama攻击,这是对名为“Colorama”的合法python软件包的域名仿冒攻击,该软件包将比特币转账重定向到攻击者控制的钱包。
二、三大运营风险
除了开源软件包含的主要安全风险外,Endor Labs报告还分析了它们可能带来的最大运营风险。
报告称,未维护的软件或组件或组件版本不再积极开发,导致功能和安全漏洞的补丁不可用,这是开源软件带来的最大操作风险。数字化转型网szhzxw.cn
在这种情况下,补丁开发必须由下游开发人员完成,从而导致工作量增加和解决时间延长。在此期间,系统将保持公开状态。过时的软件——不要与未维护的软件混淆——是开源软件的另一个巨大风险。这是指可能正在使用组件的旧过时版本的项目,即使存在较新的版本也是如此。
如果使用的组件版本远远落后于依赖项的最新版本,则在紧急情况下很难及时执行更新。较旧版本的组件也可能未获得与最新版本相同级别的安全评估。数字化转型网szhzxw.cn
“如果新版本在语法或语义上与当前使用的版本不兼容,应用程序开发人员可能需要大量的更新或迁移工作来解决不兼容问题,”报告称。
开源软件的第三大运营风险是未跟踪的依赖关系。当项目开发人员根本不知道对组件的依赖关系时,就会发生这种情况,要么是因为它不是上游组件的软件物料清单的一部分,要么是因为软件组件分析 (SCA) 工具未检测到它,要么是因为依赖关系不是使用包管理器建立的。数字化转型网szhzxw.cn
报告称,开发人员必须评估和比较SCA工具生成准确物料清单的能力。
三、与开源软件相关的风险增加
随着多年来开源的使用不断增加,其他网络安全公司也强调了它带来的风险。
在应用程序安全公司 Synopsys 的研究人员检查的所有商业和专有代码库中,84% 至少检测到一个已知的开源漏洞。数字化转型网szhzxw.cn
此外,在 Synopsys 研究人员分析的所有代码库中,有 48% 包含高风险漏洞,这些漏洞已被积极利用,已经记录了概念验证漏洞,或被归类为远程代码执行漏洞。数字化转型网szhzxw.cn
英文原文:
Top 10 open source software risks for 2023
While open source software is the bedrock of modern software development, it is also the weakest link in the software supply chain, according to a report by Endor Labs.数字化转型网szhzxw.cn
Known vulnerabilities, compromise of legitimate package, and name confusion attacks are expected to be among the top ten open source software risks in 2023, according to a report by Endor Labs.
The other major open source software risks, according to the report, include unmaintained software, outdated software, untracked dependencies, license risk, immature software, unapproved changes, and under/oversized dependency.数字化转型网szhzxw.cn
Almost 80% of code in modern applications is code that relies on open source packages. While open source software is the bedrock of modern software development, it is also the weakest link in the software supply chain, Endor Labs said in its report.数字化转型网szhzxw.cn
Since open source software comes as-is, without warranties of any kind, any risk of using it is solely on the users. This makes selection, security, and maintenance of these open source dependencies crucial steps towards software supply chain security, the report said.
The Endor Labs report covers both operational and security issues associated with open source components that can lead to compromise of systems, enable data breaches, undermine compliance, and hamper availability. The report features contributions from 20 industry experts, including CISOs from HashiCorp, Adobe, Palo Alto Networks, and Discord.数字化转型网szhzxw.cn
Top three open source security risks
Known vulnerability, according to the report, is the top risk associated with open source software. This risk occurs when a component version contains vulnerable code, accidentally introduced by its developers. If a known vulnerability is exploited by a threat actor, it could compromise the confidentiality, integrity or availability of the respective system or its data, the Endor Labs report said.数字化转型网szhzxw.cn
CVE-2017-5638 in Apache Struts that caused the Equifax data breach, and CVE-2021-44228 in Apache Log4j also known as Log4Shell are examples of known vulnerabilities.
To avoid the risk of known vulnerabilities, Endor Labs suggests that regular scan of open source software should be conducted and organizations should prioritize findings to optimize resource allocation.
Compromise of legitimate package is the second biggest risk that open source software contain. Attackers may compromise resources that are part of an existing legitimate project or of the distribution infrastructure to inject malicious code into a component. For example, hijacking the accounts of legitimate project maintainers or exploiting vulnerabilities in package repositories. The SolarWinds cyberattack was a result of a compromise of a legitimate package.数字化转型网szhzxw.cn
The third biggest open source software risk is name confusion attacks, in which an attacker creates components whose names resemble names of legitimate open source or system components (typosquatting), suggest trustworthy authors (brandjacking) or play with common naming patterns in different languages or ecosystems.数字化转型网szhzxw.cn
To avoid this risk, organizations need to check code characteristics both before and after installation hooks, check the project characteristics such as source code repository, maintainer accounts, release frequency, number of downstream users, etc, the report said. An example of this risk is the Colourama attack, which was a typosquatting attack on the legitimate python package called “Colorama” that redirected Bitcoin transfers to an attacker-controlled wallet.
Top three operational risks
Along with the top security risks that the open source software contain, the Endor Labs report also analyzed the top operational risks that they can pose.数字化转型网szhzxw.cn
Unmaintained software or when a component or component version is not actively developed anymore leading to patches for functional and security bugs not being available is the top operational risk that open source software pose, according to the report.
In this case, the patch development will have to be done by downstream developers, resulting in increased efforts and longer resolution times. During that time, the system remains exposed.
Outdated software — not to be confused with unmaintained software — is another big risk for open source software. This refers to a project that may be using an old, outdated version of a component, even though newer versions exist.数字化转型网szhzxw.cn
If the version of a component used is far behind the latest releases of a dependency, it can make it difficult to perform timely updates in emergency situations. Older version of a component may also not receive the same level of security assessment as recent versions.
“If a new version is syntactically or semantically incompatible with the current version in use, application developers may require significant update or migration efforts to resolve the incompatibility,” the report said.数字化转型网szhzxw.cn
The third biggest operational risk with open source software is untracked dependencies. This occurs when the project developers are not aware of a dependency on a component at all, either because it is not part of an upstream component’s software bill of material, or because software component analysis (SCA) tools do not detect it, or because the dependency is not established using a package manager.
Developers must evaluate and compare SCA tools for their capability to produce accurate bills of materials, the report said.数字化转型网szhzxw.cn
Risks associated with open source software increasing
As the use of open source is increasing over the years, the risk it poses is also being highlighted by other cybersecurity firms. At least one known open source vulnerability was detected in 84% of all commercial and proprietary code bases examined by researchers at application security company Synopsys.
In addition, 48% of all code bases analyzed by Synopsys researchers contained high-risk vulnerabilities, which are those that have been actively exploited, already have documented proof-of-concept exploits, or are classified as remote code execution vulnerabilities.数字化转型网szhzxw.cn
本文由数字化转型网(www.szhzxw.cn)转载而成,来源于数智化转型网;编辑:数字化转型网默然。
免责声明: 本网站(http://www.szhzxw.cn/)内容主要来自原创、合作媒体供稿和第三方投稿,凡在本网站出现的信息,均仅供参考。本网站将尽力确保所提供信息的准确性及可靠性,但不保证有关资料的准确性及可靠性,读者在使用前请进一步核实,并对任何自主决定的行为负责。本网站对有关资料所引致的错误、不确或遗漏,概不负任何法律责任。
本网站刊载的所有内容(包括但不仅限文字、图片、LOGO、音频、视频、软件、程序等) 版权归原作者所有。任何单位或个人认为本网站中的内容可能涉嫌侵犯其知识产权或存在不实内容时,请及时通知本站,予以删除。
