Open Source Risk: Plugging the hole

"The leak was worse than first thought" notes a bypasser of a boy stuck head-first into the wall of a digital dyke. Plug you open source holes with a SCA tool


Software development based on the sharing and collaborative improvement of software source code goes back to its very origins. 

In the late 1990s, the term “open-source” was coined and received mainstream recognition in publications such as Forbes. The Netscape browser’s source code was made open source and that got a lot of attention.

The original open-source projects were “revolutions” against the “unfair” profits that closed-source software companies were reaping. Microsoft, Oracle, SAP and others, it was argued, were extracting monopoly-like “rents” for software, which the top developers of the time did not believe was world class.

Open Source Growth

Open source software was originally created by developers for developers. It was embraced slowly by more and more projects, organisations and companies and it now forms the foundation for the Internet and most of our digital assets. The code base of a typical modern application consists of 80 to 90% of open source software. Even in something as proprietary as Apple’s iPhone, the operating system consists largely of open source software. 

Currently, there are close to 1 million open source projects globally and this number increases by 79% a year

Open source victorious as last ones standing capitulate

Apple and Google embraced open source more than 20 years ago. The champions of proprietary software, IBM and Microsoft, resisted much longer. 

  “Once open source gets good enough,
competing with it would be insane.”

2006, Larry Elison, the chairman of Oracle in conversation with the Financial Times

Elison was right on the mark. It looks like we reached that point a few years ago. IBM and Microsoft were the last ones standing against open source, but  in the end they capitulated. IBM acquired RedHat  early 2019 for $34B and Microsoft acquired GitHub for $7.5B in 2018.

Open source use a surprise to many executives

Many organizations where leadership does not have a strong engineering or technical background often do not fully realize yet the importance of open source and how dependent they are on it in their digital supply chain. We regularly encounter executives who are very surprised when we analyze their applications and identify many open source libraries. Awareness is the first step in managing open source risk and rewards.

Open Source Risks: Is it really free?

Open source is bringing huge rewards to business. However, with reward comes open source risk. The two main risks are legal related to the licenses  and cyber risk related to vulnerabilities. 

Open source is free but can come with strings attached that do not match with your organization’s business model. Open source software is released under different licensing models. There are over 300 licensing models in use. Most open source software comes with friendly licenses such as the licenses for Apache and BSD. However other licensing models not so much, such as licenses for GNU GPL and GNU Affero. Use of these licenses, even in a minor way, could force an organisation to open source their entire software with devastating impact on the IP value of the organisation.  

Open source software, like all software, can contain vulnerabilities. Open source software, in general, is high quality software and not intrinsically more vulnerable. However, because of its wide usage, it is a very attractive target for cyber adversaries and so, over time, vulnerabilities are uncovered. At the moment, there are more than 150,000 known vulnerabilities. A lot of these vulnerabilities can be exploited to breach organisations and are considered to be the cause of approximately 25% of data breaches. 

One example of a major breach is the Equifax breach which exposed 145 million client records and cost the organisation more than $1.3 B to remediate. The company also lost $5B in stock market value overnight and later received a $700 M fine from the US government. 

The best defence: SCA / OSS

The best defense against open source risk is to use a Software Composition Analysis tool, sometimes also called Open Source Security scanner. These tools quickly analyse your applications or containers and provide insight into license and cyber risk. MergeBase goes a step further and provides solutions to quickly and easily reduce your cyber risk. 

A Critical Look at Cyber Investment

What is the top defensive technology area to invest in right now?

Cyber defense is a global whack-a-mole game with hundreds of billions of dollars being invested in offensive and defensive capabilities. After you invest in one area, another area of risk tends to pop up. What is the top defensive technology area to invest in right now?

Cyber is multifaceted

Cyber defense requires a multifaceted approach. Fragmentation is a natural consequence of the back and forth between cyber attackers and defenders: If we have an effective defence against a particular type of attack, adversaries will try another area, angle, or approach. Over time this means we need many technologies to secure our organisation. Like it or not, cyber defence is a global whack-a-mole game. It is an arms race, with governments and corporations investing hundreds of billions of dollars continuously in building out offensive and defensive capabilities.

We all know that we need a multifaceted approach. This involves people, process and tools. We need to make sure that everyone in the organization is motivated and has the skills and resources to fight cybercrime. Beyond understanding why and how, technology is critically important as cyberspace is tech heavy.

What area do we need to invest in?

Unless you feel at ease with your cyber protection, the question is: What is the key technology area to invest in right now? This question is very difficult for most cyber professionals as most organizations under fund and under resource their cyber operations.

We posed this question to cyber professionals by posting a poll to LinkedIn. To eliminate bias, we conducted the poll twice (second poll), reaching out to two distinct networks of cyber professionals. Feel free to repost the poll and let us know what your results are.

The poll asked what areas to focus on: MFA, perimeter security, known vulnerabilities or education. The results, which were consistent between the two polls, were: known vulnerabilities at 49% , MFA at 29%, and perimeter and education each approximately at 10%.

Known vulnerabilities routinely exploited

The results of the poll make a lot of sense. Of course, all these areas are important and really need more investment. However, the NSA and CISA continue to warn that cyber adversaries routinely exploit known vulnerabilities..

If we look at major breaches, we see plenty of evidence supporting these warnings. Sophisticated attackers use a combination of hacking techniques, as we have seen recently with SolarWinds. Exploiting known application vulnerabilities is a big part of their arsenal and allows adversaries to move laterally and subsequently elevate privileges.

In reality we find that very few organizations are able to execute fully on a vulnerability strategy.

Why can we not eliminate known vulnerabilities?

Why are we not able to routinely eliminate our known application vulnerabilities? The answer is that it is a daunting task given the level of software that most organisations are operating in combination with the level of technical debt that most of these applications suffer from. Some cyber experts call for continuous upgrading of all components. That would eliminate these problems. However, continuous upgrading is difficult for organisations that have a lot of applications. For instance, a typical North American bank has 600 software applications. Large banks tend to have many more. A lot of these applications are older and do not have active development. Therefore, routinely upgrading may not be practical.

MergeBase successful seed raise

VANCOUVER, BC – Will cybercrime cause $1 trillion in damage to an already-vulnerable economy by 2021? Not if MergeBase Software Inc. has anything to do with it. The company has just announced it raised $500,000 funding for its best-in-class cybersecurity product — helping it ramp up sales and distribution. The funding round officially closed on March 19.

“I’m impressed that during this unprecedented crisis, business leaders and investors are able to ‘keep calm and carry on’, continuing to invest in leading-edge technology to solve critical problems like cybercrime,” says MergeBase CEO Oscar van der Meer. 

The current COVID-19 crisis and social distancing measures will only accelerate the move to a fully digital economy. In this new environment, cybersecurity for digital assets and IT will be even more mission-critical to business and governments.

“So many technology-powered companies are built on open-source code and third-party apps — which is a quicker, easier and cheaper way of building software,” he explains. “But those savings come with a cost, exposing organisations using these applications to data breaches.

“Integration with external apps already causes up to 24 percent of all cybersecurity breaches — and that’s only going to grow,” he says. “MergeBase is a best-in-class solution to boost the immune system of enterprises around the world.” MergeBase’s app-security solution detects more vulnerabilities than any other tool on the market.

Enterprises are already boosting purchases of app security solutions, from 5 percent in 2019 to 60 percent by 2024, according to a Gartner report. “It’s why we’re expecting to see big growth in our business.” 

MergeBase’s solutions are aimed at large enterprises. Their customers include a government agency that processes trillions of dollars of payments every year. 

The company’s co-founders bring a combined 50 years of experience in the financial industry, and a wealth of knowledge about identifying and dealing with vulnerabilities in technology; for instance, van der Meer was a senior executive at Central1, the central financial facility and trade association for the B.C. and Ontario credit union systems. 

Investors in the current funding round include Lisa Shields and Western Universities Technology Innovation Fund (WUTIF) and Maninder Dhaliwal.

Discover More from MergeBase

Core Product

BuildGreen is a powerful solution for identifying the real risk of open source at build time or in existing applications

Learn how BuildGreen can protects your Enterprise

Add RunTime Protection

RunGreen detects and defends against known-vulnerabilities at runtime.

Learn why Runtime Protection Matters

Optional Developer Add-on

CodeGreen is an early-warning defence for your in-house development and integrates directly into code repositories

Quick Start - For Free