Small program to create a lightweight and readily available user experience, it does not require independent installation, small size, fast development, low maintenance costs, there is no compatibility problems, not only convenient for developers and users to use. With the increase in the use of small programs, development companies in order to quickly complete the development task, often choose from the Internet small program open source code, some companies do not understand the relevant open source licensing regulations, and do not conduct code security testing directly used. This can be a cost-effective way to develop applications, but who will pay for the data security and privacy risks hidden behind the open source code, regardless of the infringement issues?

Open source code inventory in security vulnerabilities

In May 2019, GitHub was blackmailed by hackers, with the source code and information of more than 370 users deleted by an account called “Gitb Ackup.” At the same time, Microsoft’s open-source development platform was wiped clean of its 392 code repositories by hackers. Some analysts say that the open source platform is attacked because the application developed on the platform has vulnerabilities that are exploited by hackers.

According to a Gartner survey, 99 percent of organizations use open source software in their IT systems. Nowadays, with the prevalence of agile development and rapid iteration, application software development is no longer as simple as before. Nowadays, the development code has many code components, including open source code, code reuse, commercial applications, third-party libraries and outsourcing development in addition to the part written by oneself. This kind of mixed development mode leads to the security risk of source code.

According to Snyk’s 2019 State of Open Source Security Survey, “the number of vulnerabilities in applications has increased by 88% in the past two years, with package manager (NPM) vulnerabilities increasing by 47% in 2018 alone.”

Free open source software is open, participation and communication features, on the one hand, because of a shortage of developers own safety consciousness and the technical level is easy to produce software vulnerabilities, on the other hand also is unable to avoid malicious people to attack, such as open source software into the Trojan program implementation supply chain security risks introducing behavior so as to pose a threat to our data security.

According to WhiteSource, the number of open source software vulnerabilities has surged to more than 6,000 reported vulnerabilities in 2019, and the number of open source vulnerabilities has increased by nearly half. 96.8% of developers rely on open source software, and patches for open source vulnerabilities are often not updated. China’s software supply chain security analysis report shows that more than half of application projects have high-risk open source vulnerabilities. These security holes in open source software are likely to be exploited and cause great damage.

How scary are open Source vulnerabilities?

Vulnerabilities in open source components are quickly publicized. The purpose of publishing the bug is to allow more people to find it and make necessary fixes, but at the same time, the information is also available to malicious people. It takes them little effort to understand which components are more vulnerable and how to implement them. Then simply find out which companies have poor security systems, weak security awareness, slow response, and attack before the vulnerability is fixed.

How to avoid vulnerability risk when using open source code?

It is impossible to avoid using open source code, so how to avoid the risk of code vulnerability when using open source code to develop application software?

  1. Use professional open source code inspection tool (SCA) to test the code, confirm the code components by testing, and then check the code compliance risk and security vulnerability risk;

  2. In the process of code testing, static code detection tool (SAST), fuzzy testing and other methods are used to find defects in the code and improve the code quality.

With the increasing utilization rate of open source code, the potential risk of security vulnerability of open source software is getting bigger and bigger. Once security vulnerability breaks out, it will affect the normal operation of an industry and even the society. With the help of efficient and appropriate safety management tool, cautious rational use of open source code, can not only avoid infringement of open source code, to avoid security vulnerabilities such as open source code management risk happens, at the same time also can save the application software development cost, improve the efficiency of development, improve data security to resist the ability of the network attack, so as to win the market competition.

Reference link:

www.woocoom.com/b021.html?i…

www.gjbmj.gov.cn/n1/2020/112…