Open Source Poses A Security Risk But SCA And RASP Can Be Of Assistance


Web applications are constructed using twisted spaghetti-like open source software (OSS) that has amusingly strange names like Apache, Struts, or Log4j and which may create security risks due to recently found flaws. An agonising example was the straightforward logging programme Log4j. It was found to have a significant security hole in December 2021, which was quickly exploited after becoming public knowledge.

Mind you, it’s not that open source software (OSS) is more prone to security issues than proprietary software. No, the issue is how widely used these open source components are. In the event that one of them has a vulnerability, thousands or even millions other applications might potentially be exploited. There are several tools available to scan code. But the development of contemporary software cannot be done with these scanners. They blare out so many false positives that the signals eventually go unheeded.

Thankfully, modern technologies adopt a strategy that is more appropriate for creating contemporary software applications. These instruments, known as Software Composition Analysis (SCA), examine your open source libraries in comparison to the MITRE vulnerabilities database. One such example is CodeSec, a free tool from Contrast that you can use to scan the libraries of your application for known vulnerabilities.

However, SCA won’t shield you against zero-day flaws like Log4j and Spring4Shell. Runtime defence must be incorporated into your programmes for this. In the case of Log4j, you didn’t need to be aware of the vulnerability in the Log4j library if you were using Runtime Application Self-Protection (RASP). Instead, RASP would’ve picked up on application behaviour linked to typical web application flaws, such the injection attack made possible by the Log4j flaw.

Customers that used our Contrast Protect RASP tool found that their apps couldn’t be exploited when tested for Log4j. That allows their developers to spend the weekend at home instead of looking for Log4j and applying patches. Fear not the OSS. Just make sure you have the necessary equipment to guarantee a well-behaved visitor inside your application, one that allows your developers to unwind on the weekend.


Please enter your comment!
Please enter your name here