The hidden threat lurking in an otherwise secure software stack
All it takes is a fork from the main branch and a re-branding of the code, and the next thing you know, there's a hidden threat in your software. Here's how to protect against it.
Is there a hidden threat buried in your software stack. Is there a hidden threat embedded within your Docker container?
It's certainly not a prospect that lives outside of the realm of possibility, especially if you're not 100% sure as to exactly how the various Open Source components that make up your software stack or your container image were derived.
"One of the aspects of open source is that it can be forked," said Tim Mackey, the Technical Evangelist for BlackDuck Software. "If you look at GitHub today and look at the OpenSSL project, you'll see that over 2500 or 2600 different OpenSSL forks have occurred," If a vulnerability in the OpenSSL system occurs, as it did when the Heartbleed bug rose to fame, only the mainline, unforked version of the project will be tagged as being problematic. If the Docker container you downloaded is using a forked version of a piece of open source software, or your cloud computing stack uses a highly customized derivative, you may very well have a hidden threat buried within your system that you won't be able to identify before hackers identify it for you.
The hidden threat from forking
"Let's say you've taken OpenSSL you've forked it, maybe you've removed a cipher suite or maybe you've added a cipher suite, embedded it into your set of dependencies and then it's moved on to someone else who has modified it ever so slightly, and then the process repeats, and you end up with it embedded in your application stack. Maybe it becomes the base image for your container? You may not be aware that you are in a vulnerable state," said Mackey, speaking to the fact that without a proper understanding of how Open Source software is both created and curated, there could be innumerable hidden threats lurking in your software.
Of course, everyone picks on OpenSSL after the whole Heartbleed debacle, but a hidden threat to the security of your software stack can elute from a variety of otherwise innocuous places. Nobody typically thinks of JavaScript as being a grave danger to an enterprise system, but with the rise of Node.js, and the manner in which the Node Package Manager (NPM) supplies resources, organizations much pay much more attention to the serverside software they are installing.
Hidden threat in JavaScript
And of course, one of the reasons Node is so compelling is because changes and enhancements are happening so quickly. But the downside is that packages can change several times a day, and with NPM, you're not exactly sure where the packages you're being supplied are coming from. "Because things are moving rapidly, a fork of a component can happen many, many times, and when an issue is raised in the intermediate stream of forks, it becomes much more difficult to recognize where the vulnerable code exists and where it doesn't," said Mackey.
So what is an organization to do? The key is to know exactly what software makes up a given software stack, and to understand which pieces of software come from a projects main trunk, and which pieces of software might be derivatives that are well removed from the mainline branch. Of course, that's not always an easy task, especially when even the simplest software projects can link to hundreds of open source archives, but it's a necessity if organizations want to maintain secure software stacks that are free of any embedded and hidden threats.