Open source platforms and projects offer a wide variety of benefits for organizations and developers, but they also can introduce vulnerabilities if you’re not careful. That’s why Black Duck has released Security Checker, a free tool based on its Hub open source security tool to help you identify those vulnerabilities so your applications will be secure.
One of the advantages of open source is also a potential concern. Open source software has benefits from community cooperation and collaboration. More eyes and more hands contributing to the development allow for faster evolution and greater innovation. However, when all of the code is available to the public, and any developer can add or change the code, it also is an opportunity to introduce problems.
While theoretically it is possible for a malicious developer to intentionally add vulnerabilities or exploits, the collaborative nature of open source projects actually makes it less likely. Any obvious attempt to insert malicious code would be detected and thwarted by other developers. The communal nature of open source development is not infallible, though, as evidenced by recent major revelations such as Heartbleed.
Open source projects that are active and properly maintained address these issues fairly quickly. The problem, however, is that organizations and developers need to be able to easily determine whether their existing applications are affected and apply the appropriate patches and updates. There also are many open source tools that are not being actively developed or supported, which means known vulnerabilities may be left unfixed.
Security Checker from Black Duck can help minimize exposure to these risks and give organizations and developers an opportunity to address any known issues. The tool is a drag-and-drop solution that allows you to scan code contained in an uploaded archive file, such as a .tar or .zip file, or in a Docker image. Security Checker then generates a report that shows identified vulnerabilities and security issues.
A recent report from Black Duck found that 67 percent of audited applications contain known open source security vulnerabilities. More than a third of the vulnerabilities identified were classified as “severe.” The most notable finding, however, is that 10 percent of the applications surveyed still contain the Heartbleed vulnerability, which was discovered in April 2014.
“Applications represent the greatest level of risk on the security threat landscape, and we expect that Security Checker scan results will provide an ‘a ha moment’ for many open source users,” said Black Duck CEO Lou Shipley in a press release statement. “Their findings will focus attention on the need to regularly review application code to ensure it’s free of known open source vulnerabilities.”
The process of scanning and generating the report takes about 15 minutes, according to Black Duck, which also noted the maximum file size Security Checker can scan is 100MB.