Advanced Computing in the Age of AI | Monday, July 15, 2024

Flaws Found in Security Software, Unlicensed Code 


A flurry of industry surveys have flagged open source and unlicensed software as growing security threats. Moreover, a review released by Flexera Software also found that the very security products designed to protect IT infrastructure are themselves riddled with vulnerabilities embedded in open source software.

While agreeing that malware is a growing threat, other observers counter that the culprit is the growing use of unlicensed software.

The Flexera security software survey conducted between August and October found that 11 security software products from vendors such as IBM (NYSE: IBM), McAfee and Splunk showed up on its list of 20 products with the most security vulnerabilities. Hence, the survey emphasizes that software developers need greater visibility into open source components so they can identify vulnerabilities and quickly issue security patches. Those patches are generally available as soon as vulnerabilities are announced.

The survey also warned that open source components posed a growing threat, noting that security vulnerabilities were "actually [e]mbedded in open source components used within those products."

Citing the 2014 Heartbleed security flaw in the OpenSSL cryptography library used to implement transport layer security protocols, a Flexera executive stressed that "vulnerable open source components built into software products can cause global disruption if they are not discovered and patched prior to delivering software products to customers."

Those security concerns were echoed in another report released by market watcher Forrester Research (NASDAQ: FORR) in October that warned a growing number of security products fail under direct attack by hackers. Security professionals "must demand a higher standard of security testing and remediation on security products to ensure these products don't introduce vulnerabilities like those they're trying to prevent," the Forrester report concluded.

Responding to high-profile security breaches tied to open source software bugs, vulnerabilities and other security gaps, the Linux Foundation launched an effort called the Core Infrastructure Initiative. The effort was bolstered last year with the addition of several cyber security experts along with a "badge program" designed to certify the security of open source components and, according to organizers, ensure the "long-term viability of the open source community."

Still, software vulnerability management firms such as Flexera Software, Itasca, Ill., suggest these efforts may be too little too late since security software ranks high along with web browsers and PDF readers as "attack vectors."

Open source proponents counter that efforts such as the infrastructure initiative are, in the words of Jim Zemlin Linux Foundation executive director, encouraging a "culture of secure coding practices."

Meanwhile, others note the growing role of unlicensed software in the spread of malware. They cite a May 2016 survey by the Business Software Alliance (BSA) that found a direct correlation between the use of unlicensed PC software and a higher "likelihood that users will experience potentially debilitating malware." The BSA survey also stressed the "hidden cost associated with using unlicensed software [and] the possibility of unwittingly opening up an organization to cyber risk in doing so."

Along with preventing the use of unlicensed software, experts stress that software must be regularly updated and security patches installed as soon as they are received.

Despite those warnings, a separate software asset management survey released last week by Flexera found that only 29 percent of enterprises continuously monitor their systems for security purposes to find unlicensed or unauthorized software.

(Editor's note: This story was updated to include recent findings on the role of unlicensed software in the rise of malware and other cyber security threats.)

About the author: George Leopold

George Leopold has written about science and technology for more than 30 years, focusing on electronics and aerospace technology. He previously served as executive editor of Electronic Engineering Times. Leopold is the author of "Calculated Risk: The Supersonic Life and Times of Gus Grissom" (Purdue University Press, 2016).