Welcome to AppSec Unlocked, the podcast that demystifies application security one episode at a time. My name is Edwin Kwan and I'm your host for today, and we're diving into a topic that might surprise you: "You're Using More Open-Source Than You Realize." Get ready for an eye-opening episode that could change the way you think about your applications.
The Open-Source Reality Check
Let's start with a reality check. At a recent conference where I presented on open-source security, I noticed a common misconception. Most attendees believed their organizations used some open-source components, but they estimated it to be around 30% or less of their applications. Boy, were they in for a surprise! The truth is far more staggering. Industry reports suggest that a whopping 85% of modern applications are built from open-source components. And if you're working with JavaScript web applications, that number skyrockets to 97%. But hold onto your hats, folks, because my analysis shows these numbers might even be conservative. For Java applications, I've found the percentage of open-source code to be around 98%. That's right, 98%! But here's the kicker: about three-quarters of these open-source components aren't even explicitly incorporated. They're what we call "transitive dependencies" - dependencies of dependencies that sneak into your codebase without you even realizing it.
Real-World Example: The Log4j Wake-Up Call
Let me share a real-world example that illustrates just how pervasive open-source is. Remember the Log4j vulnerability that shook the tech world in December 2021? Log4j is a popular Java logging framework, and a critical vulnerability was discovered that could allow attackers to execute arbitrary code on affected systems. What was shocking wasn't just the severity of the vulnerability, but how many organizations were affected without even realizing they were using Log4j. It was often buried deep in their dependency trees, used by other libraries they depended on. This incident was a wake-up call for many companies about the true extent of their open-source usage.
The Rise of AI in Development
And with the rise of generative AI in software development, that remaining 2% of custom code might not even be written by your developers. It's a brave new world out there, folks! AI-assisted coding tools like GitHub Copilot are becoming increasingly popular. These tools often suggest code snippets based on vast libraries of open-source code. So even when developers think they're writing custom code, they might be inadvertently incorporating open-source patterns and practices.
The Exponential Growth of Open-Source Usage
Now, let's talk numbers. According to the 9th Annual State of Software Supply Chain Report, our use of open-source software is growing at an exponential rate. Last year, the number of download requests exceeded 4 trillion. That's trillion with a 'T'! To put that into perspective, it's almost double the number from just two years ago. But here's where it gets concerning. Out of those 4 trillion requests, about 500 billion were for components with known risks. That's roughly 1 in 8 downloads that have one or more identified security vulnerabilities. It's like playing Russian roulette with your application security!
The Log4j Saga Continues
Let's take a moment to revisit our friend Log4j. Remember that critical vulnerability we talked about earlier? Well, you'd think we'd have learned our lesson, right? Wrong. Today, about 35% of download requests for Log4j are still for vulnerable versions. That's 1 in 3 downloads! It's like we're handing out security breach invitations with every third Log4j download.
Why Are We Still at Risk?
So, why are we still downloading open-source components with known risks, especially infamous ones like Log4j? I believe the root cause is a lack of awareness. Most organizations are simply unaware of their true open-source consumption, especially when it comes to those sneaky transitive dependencies we talked about earlier.
The Hidden Costs of Open-Source
Now, don't get me wrong. Open-source software is fantastic. It drives innovation, speeds up development, and allows developers to stand on the shoulders of giants. But it's not without its costs.
Security Risks: As we've discussed, open-source components can introduce vulnerabilities into your applications.
Licensing Issues: Not all open-source licenses are created equal. Some may have terms that conflict with your business model or intellectual property strategy.
Maintenance Overhead: When you use open-source, you're also taking on the responsibility of keeping those components up-to-date and secure.
Complexity: The more open-source components you use, the more complex your dependency tree becomes, making it harder to manage and secure.
Best Practices for Managing Open-Source
So, what can you do to manage your open-source usage more effectively? Here are some best practices:
Maintain an Inventory: Keep a comprehensive, up-to-date inventory of all open-source components used in your applications.
Implement Automated Scanning: Use SCA tools to automatically scan for vulnerabilities and licensing issues.
Establish Policies: Create clear policies around open-source usage, including which licenses are acceptable and how to handle security updates.
Educate Your Team: Ensure your developers understand the implications of using open-source and how to do so responsibly.
Monitor and Update: Regularly monitor your open-source components for new vulnerabilities and update them promptly when issues are found.
We'll be diving deeper into each of these practices in future episodes.
Wrapping Up
As we wrap up this episode of AppSec Unlocked, remember: open-source software is a powerful tool that drives innovation and efficiency in software development. But with great power comes great responsibility. The key takeaway is this: you're probably using more open-source than you realize. And that's okay! The goal isn't to eliminate open-source, but to use it wisely and securely. By taking proactive steps to understand and manage your open-source usage, you can harness its power while mitigating the associated risks.
Thank you for tuning in to AppSec Unlocked. This is your host Edwin Kwan, and remember: in the world of application security, what you don't know can hurt you. Stay curious, stay vigilant, and keep unlocking those AppSec mysteries. Until next time!
