Open source software is very popular and makes up a significant portion of business applications. According to Synopsys, 99% of commercial databases contain at least one open source component, and nearly 75% of these codebases contain open source security vulnerabilities.

開源軟件非常流行，并且構成業務應用程序的重要組成部分。 據Synopsys稱 ，99％的商業數據庫至少包含一個開源組件，而這些代碼庫中有將近75％包含開源安全漏洞。

One of the major reasons why companies and developers choose to work with open source software is that it saves them from having to develop these base capabilities themselves.

公司和開發人員選擇使用開源軟件的主要原因之一是，它使他們不必自己開發這些基本功能。

Oh, and open source software is free!

哦，開源軟件是免費的！

Despite its advantages, open source software tends to have vulnerabilities that might impact your data and organization. In order to give you an overview of how open source security risks can impact your business, we have listed the top three open source security risks and ways to address them.

盡管開放源代碼軟件有其優點，但它往往具有可能影響您的數據和組織的漏洞。 為了概述開放源代碼安全風險如何影響您的業務，我們列出了排名前三的開放源代碼安全風險及其解決方法。

Before we dive into the article, let’s take a look at what exactly open source vulnerabilities are.

在深入研究本文之前，讓我們看一下究竟什么是開源漏洞。

什么是開源漏洞？ (What Are Open Source Vulnerabilities?)

Open source vulnerabilities are basically security risks in open source software. These are weak or vulnerable code that allows attackers to conduct malicious attacks or perform unintended actions that are not authorized.

開源漏洞基本上是開源軟件中的安全風險。 這些是脆弱或易受攻擊的代碼，它們使攻擊者能夠進行惡意攻擊或執行未經授權的意外動作。

In some cases, open source vulnerabilities can lead to cyberattacks like denial of service (DoS). It can also cause major breaches during which an attacker might get unauthorized access to sensitive information of an organization.

在某些情況下，開源漏洞可能導致諸如拒絕服務(DoS)之類的網絡攻擊。 它還可能導致重大破壞，在此期間，攻擊者可能會未經授權訪問組織的敏感信息。

There are a lot of security concerns when it comes to open source software. For instance, OpenSSL is an encryption library responsible for managing highly sensitive data transmission functions by a wide variety of internet-connected software including the software that runs some of the most popular email, messaging, and web services.

涉及開源軟件時，存在很多安全問題。 例如，OpenSSL是一個加密庫，負責通過各種與Internet連接的軟件來管理高度敏感的數據傳輸功能，這些軟件包括運行某些最受歡迎的電子郵件，消息傳遞和Web服務的軟件。

You remember “Heartbleed”? Yes, that caused quite a stir! Yes, that was a critical open source vulnerability in a SSH library.

您還記得“ Heartbleed”嗎？ 是的，這引起了很大的轟動！ 是的，這是SSH庫中的一個嚴重的開源漏洞。

Similarly, another popular open source vulnerability was found in 2014 in Bash shell, the default command processor on many Linux distributions. It had an arbitrary command execution vulnerability that could be exploited remotely via server-side CGI scripts on web servers, and other mechanisms. This open source vulnerability is popularly known as “Shellshock.”

同樣，2014年在Bash shell中發現了另一個流行的開源漏洞，Bash shell是許多Linux發行版中的默認命令處理器。 它具有任意命令執行漏洞，可以通過Web服務器上的服務器端CGI腳本和其他機制來遠程利用該漏洞。 這個開源漏洞通常被稱為“ Shellshock”。

前三大開源安全風險是什么？ (What are the Top 3 Open Source Security Risks?)

Now that you have a fair idea about what open source security risks are, let’s explore the top three open source security risks that exist today and how you can mitigate these risks.

現在，您對什么是開源安全風險有了一個清晰的認識，讓我們探索當今存在的三大開源安全風險以及如何減輕這些風險。

軟件安全風險 (Software Security Risks)

Open source vulnerabilities, once discovered, can be a tempting target for attackers to exploit them.

開源漏洞一旦被發現，可能成為攻擊者利用它們的誘人目標。

Typically, these open source vulnerabilities and the details about how to carry out the exploit are made publicly available. This enables hackers to gain all the necessary information they need to carry out an attack. Combine this with the widespread use of open source software, and you can imagine the havoc it creates when an open source vulnerability is found.

通常，這些開源漏洞以及有關如何利用此漏洞的詳細信息是公開提供的。 這使黑客能夠獲取進行攻擊所需的所有必要信息。 將其與開源軟件的廣泛使用相結合，您可以想象發現開源漏洞時會造成的破壞。

One of the major challenges organizations face while addressing open source vulnerabilities is that tracking them and their fixes aren’t as easy as one might assume.

組織在解決開源漏洞時面臨的主要挑戰之一是，跟蹤它們及其修復程序并不像想象的那么容易。

Since these open source vulnerabilities are published across a wide variety of platforms, it becomes difficult to track them. Also, locating the updated version, patch, or fix to address the security risk is a time-consuming and expensive process.

由于這些開源漏洞是在各種各樣的平臺上發布的，因此很難跟蹤它們。 另外，查找更新的版本，補丁或修補程序以解決安全風險是耗時且昂貴的過程。

Once an open source vulnerability and its path of exploitation are published, it’s just a matter of time until attackers exploit them and hack into your organization. It is imperative that businesses integrate necessary tools and processes to quickly address open source vulnerabilities.

一旦發布了開源漏洞及其利用途徑，攻擊者利用它們并入侵您的組織只是時間問題。 企業必須集成必要的工具和流程以快速解決開源漏洞。

漏洞宣傳 (Publicity of Exploits)

Open source vulnerabilities are made publicly available on platforms like the National Vulnerability Database (NVD), which is accessible by anyone.

開源漏洞在諸如國家漏洞數據庫(NVD)之類的平臺上公開可用，任何人都可以訪問。

A famous example of attacks due to publicly available open source vulnerabilities was the major Equifax breach in 2017 where the credit reporting company had leaked personal information of 143 million people. This attack took place because Equifax was using a version of the open source Apache Struts framework that had high-risk vulnerabilities, and attackers used that vulnerability to their advantage.

由公開可用的開放源代碼漏洞引起的攻擊的一個著名示例是2017年的重大Equifax漏洞 ，其中信用報告公司泄露了1.43億人的個人信息。 發生此攻擊的原因是Equifax使用了具有高風險漏洞的開源Apache Struts框架版本，攻擊者利用該漏洞來發揮自己的優勢。

Such attacks on open source software not only cause data leakage or loss but also impact a company’s market reputation, valuation, and customer relationships. This, in turn, can impact your customer churn rate, retention rate, sales, and revenue. Dealing with the impact of a breach caused due to open source vulnerabilities can be a lengthy, and painful process.

對開源軟件的此類攻擊不僅會導致數據泄漏或丟失，而且還會影響公司的市場聲譽，估值和客戶關系。 反過來，這可能會影響客戶流失率，保留率，銷售和收入。 處理由于開放源代碼漏洞而造成的違規影響可能是一個漫長而痛苦的過程。

許可合規風險 (Licensing Compliance Risks)

Open source software comes with a license that allows the source code to be used, modified, or shared under defined guidelines. However, the problem with these licenses is that most of them don’t meet the stringent OSI and SPDX definitions of open source.

開源軟件隨附許可證，該許可證允許在已定義的準則下使用，修改或共享源代碼。 但是，這些許可證的問題在于，大多數許可證都不符合開源的嚴格OSI和SPDX定義。

In addition to that, single proprietary applications often include several open source components, and these projects are released under various license types, such as GPL, Apache License, or MIT License.

除此之外，單個專有應用程序通常包括幾個開源組件，并且這些項目以各種許可證類型發布，例如GPL，Apache許可證或MIT許可證。

Organizations are required to comply with each individual open source license, which can be quite overwhelming. Especially with the rapid development and release cycle businesses follow along with the fact that there are nearly 200+ open source license types that exist today.

組織被要求遵守每個單獨的開源許可證，這可能會讓人不知所措。 尤其是隨著快速的開發和發布周期，企業隨之而來的事實是，當今存在近200多種開放源代碼許可證類型。

A study of 1,253 applications found that about 67% of codebases had license conflicts and 33% of codebases had unlicensed software. Non-compliance with licenses can put enterprises at the risk of legal action, impacting your operations, and financial security.

對1,253個應用程序的研究發現，大約67％的代碼庫具有許可證沖突，而33％的代碼庫具有未經許可的軟件。 不遵守許可證可能會使企業面臨法律訴訟的風險，從而影響您的運營和財務安全。

您如何克服這些開源安全風險？ (How Can You Beat These Open Source Security Risks?)

Next, let’s take a closer look at the solutions to these open source security risks.

接下來，讓我們仔細研究這些開源安全風險的解決方案。

建立安全第一文化 (Build a Security-First Culture)

Too often, developers choose to work with open source components based on the functionality and programming language they need. While functionality is important, other criteria should also be included.

開發人員經常根據他們需要的功能和編程語言選擇使用開源組件。 雖然功能很重要，但還應包括其他條件。

For instance, each individual component of a project may offer functionality, without the need to integrate the entire project codebase. This helps limit the number of open source software and helps simplify integration, remove security risks, and reduce source code complexity as well in non-required components.

例如，項目的每個單獨組件都可以提供功能，而無需集成整個項目代碼庫。 這有助于限制開源軟件的數量，并有助于簡化集成，消除安全風險并降低源代碼的復雜性以及不需要的組件。

Open source software is just as likely to have security risks as any other software, so it’s necessary that each component you choose to work with offers functionality and is secure.

開源軟件與其他任何軟件一樣，都具有安全風險，因此，您選擇使用的每個組件都必須具有一定的功能并且安全。

In addition to this, open source projects are usually focused on delivering new updates with new features for end users. Due to time and budget constraints, enterprises pay less attention to security and are more inclined to release the update as quickly as possible.

除此之外，開源項目通常專注于為最終用戶提供具有新功能的新更新。 由于時間和預算的限制，企業很少關注安全性，而更傾向于盡快發布更新。

However, companies should maintain a balance between the new releases while ensuring that the design, implementation, and code is secure.

但是，公司應在新版本之間保持平衡，同時確保設計，實施和代碼的安全。

One of the most important things you can do is to inventory what open source software you use and track vulnerabilities that are associated with these libraries.

您可以做的最重要的事情之一是盤點您使用的開源軟件，并跟蹤與這些庫相關的漏洞。

擁抱自動化和掃描開源軟件中的漏洞 (Embrace Automation and Scanning for Vulnerabilities in Open Source Software)

Finding and fixing vulnerabilities in open source software is a big challenge in itself. Companies need to find a way to detect all security vulnerabilities in the open source code in their environments, update the list regularly, drive developers away from old, insecure software components, and finally deploy patches whenever security vulnerabilities are found.

在開源軟件中查找和修復漏洞本身就是一個巨大的挑戰。 公司需要找到一種方法來檢測其環境中開源代碼中的所有安全漏洞，定期更新列表，使開發人員遠離舊的，不安全的軟件組件，并在發現安全漏洞時最終部署補丁。

One way to help combat this is to incorporate automated tools that help you continuously track your open source usage and identify security weaknesses, vulnerabilities, fixes, and updates.

解決此問題的一種方法是合并自動化工具，這些工具可以幫助您持續跟蹤開源使用情況并確定安全漏洞，漏洞，修復和更新。

Automation tools for open source software help identify which packages are being used in which projects, what security vulnerabilities they contain, and how they can be fixed. These tools often come with alerting features as well. If a vulnerability is discovered, notifications are sent to the concerned development and security team to alert them about the newly found security risks.

開源軟件的自動化工具可幫助識別哪些包在哪些項目中使用，它們包含哪些安全漏洞以及如何修復它們。 這些工具通常還具有警報功能。 如果發現漏洞，則會將通知發送到相關的開發和安全團隊，以警告他們有關新發現的安全風險。

Integrating automation to scan security vulnerabilities in open source software is especially important for large organizations, since it can be difficult to track and identify vulnerabilities in all of their source code that is in use.

在大型組織中，集成自動化以掃描開源軟件中的安全漏洞尤為重要，因為要跟蹤和識別所有正在使用的源代碼中的漏洞可能非常困難。

Most enterprises are not even aware of their full inventory of applications they have, which makes them more vulnerable to cyberattacks due to unidentified vulnerabilities in the source code. A report says nearly 88% of the codebases have open source components with no development activity at all in the last two years.

大多數企業甚至不知道自己擁有的應用程序的完整清單，由于源代碼中未識別的漏洞，這使它們更容易受到網絡攻擊。 一份報告說，近88％的代碼庫具有開源組件，在過去兩年中完全沒有開發活動。

交叉訓練您的員工 (Cross-Train Your Staff)

It’s not always easy or even possible to hire professionals who are experts in both development and security. It is, however, possible to train your teams so that they can approach the issues from both ends. While it isn’t always easy to hold regular cybersecurity awareness training for different teams, it’s critical for the overall security of your projects.

聘請在開發和安全方面都是專家的專業人員并非總是容易的，甚至不可能。 但是，可以對您的團隊進行培訓，以便他們可以從兩端解決問題。 為不同的團隊定期進行網絡安全意識培訓并不總是那么容易，但這對項目的整體安全至關重要。

Enterprises should ensure that their developers have a general understanding of cybersecurity, as well as the latest trends and updates. Your developers should be able to identify common security issues that arise in open source code, if not fix them.

企業應確保其開發人員對網絡安全以及最新趨勢和更新有一般的了解。 您的開發人員應該能夠識別出開放源代碼中出現的常見安全問題，如果不能解決的話。

Similarly, the security team should be involved in the development process from the early stages. Rather than making security an after-thought, it should be a priority from the very beginning of a project.

同樣，安全團隊應從早期階段就參與開發過程。 從一開始就應該將安全放在首位，而不是將安全放在首位。

Just as you analyze and track your development process, you should proactively monitor your security efforts as well. Taking a proactive approach can go a long way in being prepared to handle open source security risks.

正如您分析和跟蹤開發過程一樣，您也應該主動監視安全性工作。 采取積極措施可以為應對開源安全風險做好準備。

最后的想法 (Final Thoughts)

Open source is an excellent model that can be found in many of today’s projects. However, to ensure secure open source code, you need to acknowledge the security risks that come with open source software. You have to make sure that each of your open source components is delivering value to the project and are secure.

開源是一個很好的模型，可以在當今的許多項目中找到。 但是，為了確保安全的開源代碼，您需要確認開源軟件附帶的安全風險。 您必須確保每個開源組件都在為項目交付價值并且是安全的。

Cypress Data Defense helps companies run security audits and strengthen the overall security of their projects by recommending the best security practices.

賽普拉斯數據防御(Cypress Data Defense)通過推薦最佳安全實踐，幫助公司進行安全審核并增強項目的整體安全性。

We help enterprises create a roadmap for releasing secure updates and provide open source support, scanning, monitoring, and provide solutions to safely and effectively leverage open source software. With Cypress Data Defense, organizations can gain necessary control over their open source components to mitigate open source security risks while increasing their cost savings.

我們幫助企業創建發布安全更新的路線圖，并提供開源支持，掃描，監視，并提供解決方案以安全有效地利用開源軟件。 借助賽普拉斯數據防御，企業可以對其開源組件進行必要的控制，以減輕開源安全風險，同時增加成本節省。

關于作者： (About Author:)

Steve Kosten is a Principal Security Consultant at Cypress Data Defense and an instructor for the SANS DEV541 Secure Coding in Java/JEE: Developing Defensible Applications course.

Steve Kosten是賽普拉斯數據防御部門的首席安全顧問，并且是Java / JEE：開發防御性應用程序課程中SANS DEV541安全編碼的講師。