Open source software is very popular and makes up a significant portion of business applications. According to Synopsys, 99% of commercial databases contain at least one open source component, and nearly 75% of these codebases contain open source security vulnerabilities.

开源软件非常流行，并且构成业务应用程序的重要组成部分。 据Synopsys称 ，99％的商业数据库至少包含一个开源组件，而这些代码库中有将近75％包含开源安全漏洞。

One of the major reasons why companies and developers choose to work with open source software is that it saves them from having to develop these base capabilities themselves.

公司和开发人员选择使用开源软件的主要原因之一是，它使他们不必自己开发这些基本功能。

Oh, and open source software is free!

哦，开源软件是免费的！

Despite its advantages, open source software tends to have vulnerabilities that might impact your data and organization. In order to give you an overview of how open source security risks can impact your business, we have listed the top three open source security risks and ways to address them.

尽管开放源代码软件有其优点，但它往往具有可能影响您的数据和组织的漏洞。 为了概述开放源代码安全风险如何影响您的业务，我们列出了排名前三的开放源代码安全风险及其解决方法。

Before we dive into the article, let’s take a look at what exactly open source vulnerabilities are.

在深入研究本文之前，让我们看一下究竟什么是开源漏洞。

什么是开源漏洞？ (What Are Open Source Vulnerabilities?)

Open source vulnerabilities are basically security risks in open source software. These are weak or vulnerable code that allows attackers to conduct malicious attacks or perform unintended actions that are not authorized.

开源漏洞基本上是开源软件中的安全风险。 这些是脆弱或易受攻击的代码，它们使攻击者能够进行恶意攻击或执行未经授权的意外动作。

In some cases, open source vulnerabilities can lead to cyberattacks like denial of service (DoS). It can also cause major breaches during which an attacker might get unauthorized access to sensitive information of an organization.

在某些情况下，开源漏洞可能导致诸如拒绝服务(DoS)之类的网络攻击。 它还可能导致重大破坏，在此期间，攻击者可能会未经授权访问组织的敏感信息。

There are a lot of security concerns when it comes to open source software. For instance, OpenSSL is an encryption library responsible for managing highly sensitive data transmission functions by a wide variety of internet-connected software including the software that runs some of the most popular email, messaging, and web services.

涉及开源软件时，存在很多安全问题。 例如，OpenSSL是一个加密库，负责通过各种与Internet连接的软件来管理高度敏感的数据传输功能，这些软件包括运行某些最受欢迎的电子邮件，消息传递和Web服务的软件。

You remember “Heartbleed”? Yes, that caused quite a stir! Yes, that was a critical open source vulnerability in a SSH library.

您还记得“ Heartbleed”吗？ 是的，这引起了很大的轰动！ 是的，这是SSH库中的一个严重的开源漏洞。

Similarly, another popular open source vulnerability was found in 2014 in Bash shell, the default command processor on many Linux distributions. It had an arbitrary command execution vulnerability that could be exploited remotely via server-side CGI scripts on web servers, and other mechanisms. This open source vulnerability is popularly known as “Shellshock.”

同样，2014年在Bash shell中发现了另一个流行的开源漏洞，Bash shell是许多Linux发行版中的默认命令处理器。 它具有任意命令执行漏洞，可以通过Web服务器上的服务器端CGI脚本和其他机制来远程利用该漏洞。 这个开源漏洞通常被称为“ Shellshock”。

前三大开源安全风险是什么？ (What are the Top 3 Open Source Security Risks?)

Now that you have a fair idea about what open source security risks are, let’s explore the top three open source security risks that exist today and how you can mitigate these risks.

现在，您对什么是开源安全风险有了一个清晰的认识，让我们探索当今存在的三大开源安全风险以及如何减轻这些风险。

软件安全风险 (Software Security Risks)

Open source vulnerabilities, once discovered, can be a tempting target for attackers to exploit them.

开源漏洞一旦被发现，可能成为攻击者利用它们的诱人目标。

Typically, these open source vulnerabilities and the details about how to carry out the exploit are made publicly available. This enables hackers to gain all the necessary information they need to carry out an attack. Combine this with the widespread use of open source software, and you can imagine the havoc it creates when an open source vulnerability is found.

通常，这些开源漏洞以及有关如何利用此漏洞的详细信息是公开提供的。 这使黑客能够获取进行攻击所需的所有必要信息。 将其与开源软件的广泛使用相结合，您可以想象发现开源漏洞时会造成的破坏。

One of the major challenges organizations face while addressing open source vulnerabilities is that tracking them and their fixes aren’t as easy as one might assume.

组织在解决开源漏洞时面临的主要挑战之一是，跟踪它们及其修复程序并不像想象的那么容易。

Since these open source vulnerabilities are published across a wide variety of platforms, it becomes difficult to track them. Also, locating the updated version, patch, or fix to address the security risk is a time-consuming and expensive process.

由于这些开源漏洞是在各种各样的平台上发布的，因此很难跟踪它们。 另外，查找更新的版本，补丁或修补程序以解决安全风险是耗时且昂贵的过程。

Once an open source vulnerability and its path of exploitation are published, it’s just a matter of time until attackers exploit them and hack into your organization. It is imperative that businesses integrate necessary tools and processes to quickly address open source vulnerabilities.

一旦发布了开源漏洞及其利用途径，攻击者利用它们并入侵您的组织只是时间问题。 企业必须集成必要的工具和流程以快速解决开源漏洞。

漏洞宣传 (Publicity of Exploits)

Open source vulnerabilities are made publicly available on platforms like the National Vulnerability Database (NVD), which is accessible by anyone.

开源漏洞在诸如国家漏洞数据库(NVD)之类的平台上公开可用，任何人都可以访问。

A famous example of attacks due to publicly available open source vulnerabilities was the major Equifax breach in 2017 where the credit reporting company had leaked personal information of 143 million people. This attack took place because Equifax was using a version of the open source Apache Struts framework that had high-risk vulnerabilities, and attackers used that vulnerability to their advantage.

由公开可用的开放源代码漏洞引起的攻击的一个著名示例是2017年的重大Equifax漏洞 ，其中信用报告公司泄露了1.43亿人的个人信息。 发生此攻击的原因是Equifax使用了具有高风险漏洞的开源Apache Struts框架版本，攻击者利用该漏洞来发挥自己的优势。

Such attacks on open source software not only cause data leakage or loss but also impact a company’s market reputation, valuation, and customer relationships. This, in turn, can impact your customer churn rate, retention rate, sales, and revenue. Dealing with the impact of a breach caused due to open source vulnerabilities can be a lengthy, and painful process.

对开源软件的此类攻击不仅会导致数据泄漏或丢失，而且还会影响公司的市场声誉，估值和客户关系。 反过来，这可能会影响客户流失率，保留率，销售和收入。 处理由于开放源代码漏洞而造成的违规影响可能是一个漫长而痛苦的过程。

许可合规风险 (Licensing Compliance Risks)

Open source software comes with a license that allows the source code to be used, modified, or shared under defined guidelines. However, the problem with these licenses is that most of them don’t meet the stringent OSI and SPDX definitions of open source.

开源软件随附许可证，该许可证允许在已定义的准则下使用，修改或共享源代码。 但是，这些许可证的问题在于，大多数许可证都不符合开源的严格OSI和SPDX定义。

In addition to that, single proprietary applications often include several open source components, and these projects are released under various license types, such as GPL, Apache License, or MIT License.

除此之外，单个专有应用程序通常包括几个开源组件，并且这些项目以各种许可证类型发布，例如GPL，Apache许可证或MIT许可证。

Organizations are required to comply with each individual open source license, which can be quite overwhelming. Especially with the rapid development and release cycle businesses follow along with the fact that there are nearly 200+ open source license types that exist today.

组织被要求遵守每个单独的开源许可证，这可能会让人不知所措。 尤其是随着快速的开发和发布周期，企业随之而来的事实是，当今存在近200多种开放源代码许可证类型。

A study of 1,253 applications found that about 67% of codebases had license conflicts and 33% of codebases had unlicensed software. Non-compliance with licenses can put enterprises at the risk of legal action, impacting your operations, and financial security.

对1,253个应用程序的研究发现，大约67％的代码库具有许可证冲突，而33％的代码库具有未经许可的软件。 不遵守许可证可能会使企业面临法律诉讼的风险，从而影响您的运营和财务安全。

您如何克服这些开源安全风险？ (How Can You Beat These Open Source Security Risks?)

Next, let’s take a closer look at the solutions to these open source security risks.

接下来，让我们仔细研究这些开源安全风险的解决方案。

建立安全第一文化 (Build a Security-First Culture)

Too often, developers choose to work with open source components based on the functionality and programming language they need. While functionality is important, other criteria should also be included.

开发人员经常根据他们需要的功能和编程语言选择使用开源组件。 虽然功能很重要，但还应包括其他条件。

For instance, each individual component of a project may offer functionality, without the need to integrate the entire project codebase. This helps limit the number of open source software and helps simplify integration, remove security risks, and reduce source code complexity as well in non-required components.

例如，项目的每个单独组件都可以提供功能，而无需集成整个项目代码库。 这有助于限制开源软件的数量，并有助于简化集成，消除安全风险并降低源代码的复杂性以及不需要的组件。

Open source software is just as likely to have security risks as any other software, so it’s necessary that each component you choose to work with offers functionality and is secure.

开源软件与其他任何软件一样，都具有安全风险，因此，您选择使用的每个组件都必须具有一定的功能并且安全。

In addition to this, open source projects are usually focused on delivering new updates with new features for end users. Due to time and budget constraints, enterprises pay less attention to security and are more inclined to release the update as quickly as possible.

除此之外，开源项目通常专注于为最终用户提供具有新功能的新更新。 由于时间和预算的限制，企业很少关注安全性，而更倾向于尽快发布更新。

However, companies should maintain a balance between the new releases while ensuring that the design, implementation, and code is secure.

但是，公司应在新版本之间保持平衡，同时确保设计，实施和代码的安全。

One of the most important things you can do is to inventory what open source software you use and track vulnerabilities that are associated with these libraries.

您可以做的最重要的事情之一是盘点您使用的开源软件，并跟踪与这些库相关的漏洞。

拥抱自动化和扫描开源软件中的漏洞 (Embrace Automation and Scanning for Vulnerabilities in Open Source Software)

Finding and fixing vulnerabilities in open source software is a big challenge in itself. Companies need to find a way to detect all security vulnerabilities in the open source code in their environments, update the list regularly, drive developers away from old, insecure software components, and finally deploy patches whenever security vulnerabilities are found.

在开源软件中查找和修复漏洞本身就是一个巨大的挑战。 公司需要找到一种方法来检测其环境中开源代码中的所有安全漏洞，定期更新列表，使开发人员远离旧的，不安全的软件组件，并在发现安全漏洞时最终部署补丁。

One way to help combat this is to incorporate automated tools that help you continuously track your open source usage and identify security weaknesses, vulnerabilities, fixes, and updates.

解决此问题的一种方法是合并自动化工具，这些工具可以帮助您持续跟踪开源使用情况并确定安全漏洞，漏洞，修复和更新。

Automation tools for open source software help identify which packages are being used in which projects, what security vulnerabilities they contain, and how they can be fixed. These tools often come with alerting features as well. If a vulnerability is discovered, notifications are sent to the concerned development and security team to alert them about the newly found security risks.

开源软件的自动化工具可帮助识别哪些包在哪些项目中使用，它们包含哪些安全漏洞以及如何修复它们。 这些工具通常还具有警报功能。 如果发现漏洞，则会将通知发送到相关的开发和安全团队，以警告他们有关新发现的安全风险。

Integrating automation to scan security vulnerabilities in open source software is especially important for large organizations, since it can be difficult to track and identify vulnerabilities in all of their source code that is in use.

在大型组织中，集成自动化以扫描开源软件中的安全漏洞尤为重要，因为要跟踪和识别所有正在使用的源代码中的漏洞可能非常困难。

Most enterprises are not even aware of their full inventory of applications they have, which makes them more vulnerable to cyberattacks due to unidentified vulnerabilities in the source code. A report says nearly 88% of the codebases have open source components with no development activity at all in the last two years.

大多数企业甚至不知道自己拥有的应用程序的完整清单，由于源代码中未识别的漏洞，这使它们更容易受到网络攻击。 一份报告说，近88％的代码库具有开源组件，在过去两年中完全没有开发活动。

交叉训练您的员工 (Cross-Train Your Staff)

It’s not always easy or even possible to hire professionals who are experts in both development and security. It is, however, possible to train your teams so that they can approach the issues from both ends. While it isn’t always easy to hold regular cybersecurity awareness training for different teams, it’s critical for the overall security of your projects.

聘请在开发和安全方面都是专家的专业人员并非总是容易的，甚至不可能。 但是，可以对您的团队进行培训，以便他们可以从两端解决问题。 为不同的团队定期进行网络安全意识培训并不总是那么容易，但这对项目的整体安全至关重要。

Enterprises should ensure that their developers have a general understanding of cybersecurity, as well as the latest trends and updates. Your developers should be able to identify common security issues that arise in open source code, if not fix them.

企业应确保其开发人员对网络安全以及最新趋势和更新有一般的了解。 您的开发人员应该能够识别出开放源代码中出现的常见安全问题，如果不能解决的话。

Similarly, the security team should be involved in the development process from the early stages. Rather than making security an after-thought, it should be a priority from the very beginning of a project.

同样，安全团队应从早期阶段就参与开发过程。 从一开始就应该将安全放在首位，而不是将安全放在首位。

Just as you analyze and track your development process, you should proactively monitor your security efforts as well. Taking a proactive approach can go a long way in being prepared to handle open source security risks.

正如您分析和跟踪开发过程一样，您也应该主动监视安全性工作。 采取积极措施可以为应对开源安全风险做好准备。

最后的想法 (Final Thoughts)

Open source is an excellent model that can be found in many of today’s projects. However, to ensure secure open source code, you need to acknowledge the security risks that come with open source software. You have to make sure that each of your open source components is delivering value to the project and are secure.

开源是一个很好的模型，可以在当今的许多项目中找到。 但是，为了确保安全的开源代码，您需要确认开源软件附带的安全风险。 您必须确保每个开源组件都在为项目交付价值并且是安全的。

Cypress Data Defense helps companies run security audits and strengthen the overall security of their projects by recommending the best security practices.

赛普拉斯数据防御(Cypress Data Defense)通过推荐最佳安全实践，帮助公司进行安全审核并增强项目的整体安全性。

We help enterprises create a roadmap for releasing secure updates and provide open source support, scanning, monitoring, and provide solutions to safely and effectively leverage open source software. With Cypress Data Defense, organizations can gain necessary control over their open source components to mitigate open source security risks while increasing their cost savings.

我们帮助企业创建发布安全更新的路线图，并提供开源支持，扫描，监视，并提供解决方案以安全有效地利用开源软件。 借助赛普拉斯数据防御，企业可以对其开源组件进行必要的控制，以减轻开源安全风险，同时增加成本节省。

关于作者： (About Author:)

Steve Kosten is a Principal Security Consultant at Cypress Data Defense and an instructor for the SANS DEV541 Secure Coding in Java/JEE: Developing Defensible Applications course.

Steve Kosten是赛普拉斯数据防御部门的首席安全顾问，并且是Java / JEE：开发防御性应用程序课程中SANS DEV541安全编码的讲师。