Information Technology

With more organisations tapping open source codes in their own applications, they will need to be able to work through the complexities of such environments with automation tools so they can quickly respond to new vulnerabilities.Almost all internally developed software today contained some open source codes, noted Phillip Ivancic, Asia-Pacific head of solutions strategy at Synopsys Software Integrity Group.According to the security vendor’s 2022 Open Source Security and Risk Analysis report, 97% of commercial codebases contained at least some open source codes. Of these, an average 78% of code in the codebases was open source. Released in May, the study analysed 2,409 commercial codebases across 17 industries.Most organisations would not want to build everything from scratch when they develop their own software, said Liu Yang, co-founder and CEO of Scantist, an application security vendor that in 2016 spun off from a research lab in Singapore’s Nanyang Technological University (NTU). There now were many well-established libraries and codebases in open source software (OSS) that organisations could tap and build upon, Liu said in an interview with ZDNet. Andrew Martin, Databricks’ South Asia head, concurred, adding that open source enabled companies to innovate faster and leveraged codes that already were available, instead of spending resources building proprietary software in-house.Open source technology also ensure full transparency and visibility into source code, offering data teams a connection to the wider open source community, Martin said. However, Liu said, tapping open source meant that any vulnerability in the codes then could be inherited by the host enterprise application. Open source vulnerabilities, hence, always should be addressed first, he said.Failure to do so could lead to serious security risks for businesses that did not remain informed of such vulnerabilities and update their software accordingly, he cautioned.The Synopsys study revealed that 81% of software codes contained at least one known open source vulnerability, a 3% drop from the previous year. While tapping open source did not imply in-house software was any less secure, doing so brought in key considerations that should be addressed and managed, Ivancic told ZDNet. For one, companies should know all OSS components including the actual versions that were used in their projects’ codebase. Referred to as the Software Bill of Materials (SBOM), this central repository would ensure companies were able to quickly respond when new vulnerabilities were uncovered, such as last year’s high-profile zero-day flaw Log4j. With a SBOM, they would be able to identify applications that were vulnerable and deploy the necessary remediation actions, he said. They also needed to know the exact OSS codebase used in any given project, so they could determine if the application would be impacted when new high-risk vulnerabilities were discovered. The Log4j zero-day flaw, in particular, was likely to spawn more vulnerabilities in coming years due to the increasing use of OSS, said Liu.Furthermore, he noted that the Java library for logging error messages in applications was a fundamental framework used by half of Java applications, which meant that all open source software that used the library potentially had severe vulnerabilities. Hackers could exploit the Log4j flaw to perform remote attacks and use a company’s OSS library to control its systems. It also was tough dealing with such vulnerabilities due to the layered nature of OSS development, he said. “If you’re using an OSS library for one application, that library likely is using a second library and that, in turn, is using a third library,” Liu explained. “If the third library has a critical vulnerability and you’re using the first library, there is intrinsic vulnerability in this dependency chain. It can present security risks for you, even if you’re not using the third library.”Identifying all passive and indirect interdependencies was far from easy, he noted, adding that it could be difficult for companies to access security experts to carry out such works. He pointed to the need for automated tools to support such security assessments.Ivancic stressed the need for organisations to understand the operational and licensing risks involved in using open source codes. For instance, he noted that OSS codebases that did not have an active community of contributors could indicate potential risks, since new vulnerabilities might not be uncovered and patched in a timely fashion.The Synopsys study revealed that 88% of codebases used components that were not the latest version, while 84% had open source codes that were more than four years out-of-date. In addition, 53% of audited codebases had licensing conflicts and 20% contained open source with no license or custom license.Ivancic noted that open source projects had various licensing provisions that ranged from very permissive to those that might require users to publish derivative works under the same licensing terms. A SBOM then would better able organisations to track the different licensing conditions, he said.”If organisations aren’t proactive about maintaining and reviewing their vulnerability updates, they run the risk of becoming an easy target for attackers,” he noted. “Additionally, if they fail to comply with open source licenses, they can put their business at risk of litigation and open themselves to threats to their intellectual property.”Like Liu, Ivancic underscored the importance of building automation into the development pipelines to mitigate risks based on internal security policies. “OSS is not insecure per se…the challenge is with all the versions and components that may make up a software project,” he explained. “It is impossible to keep up without automation and prioritisation.” He noted that the OSS community was responsive in addressing security issues and deploying fixes, but organisations tapping OSS would have to navigate the complexity of ensuring their software had the correct, up-to-date codebase. This was further compounded by the fact that most organisations would have to manage many projects concurrently, he said, stressing the importance of establishing a holistic software security strategy. He further pointed to the US National Institute of Standards and Technology (NIST), which offered a software supply chain framework that could aid organisations in planning their OSS security response. Regulations helpful, but not enough to fix allAsked if regulations were needed to drive better security practices, Liu said most companies saw cybersecurity as a cost and would not want to address it actively in the absence of any incentive. Hence, some corresponding governance or regulatory policies would be helpful in improving the overall security of open source software, he said. He noted that there had been discussions amongst developers about the risks of backdoor exploits and malicious codes, which suggested a need for better governance in terms of security and responsibility. He added that his research team at NTU was looking to propose a set of mechanisms and rules to address OSS security.  However, he said regulation alone would not resolve everything. Organisations still needed to figure out how to achieve better security in a cost-effective way. This, Liu said, was where the wider ecosystem could collaborate. He added that Scantist recently ran a bug bounty programme in which participants were encouraged to use software composition analysis to find and fix vulnerabilities. The aim here was to promote OSS security as well as push greater awareness amongst small and midsize businesses, Liu said. Scantist offers a software composition analysis tool, called Thompson, that is touted to help enterprises manage security and compliance risks of their open source libraries.When contacted, Singapore’s Cyber Security Agency (CSA) said it currently had no plans to impose security regulations related to the use of open source software. Instead, the government agency advocated the adoption of zero trust principles and for all Singapore organisations to build their cyber defences based on this framework. A CSA spokesperson told ZDNet that OSS security should be assessed as part of a company’s efforts to reduce risks from their supply chain partners. To help enterprises do so, CSA introduced several measures including programmes for CII (critical information infrastructure) sectors and smart consumer devices. For instance, the CII Supply Chain programme was announced last year to outline processes and best practices that could help CII operators and their vendors manage supply chain risks and beef up their supply chain cybersecurity posture. CSA earlier this year also introduced Cyber Essentials and Cyber Trust certification marks that certified cybersecurity measures organisations adopted for their products and services. The initiative aimed to provide “visible indicators” of businesses that prioritised cybersecurity as well as boost the level of trust and confidence amongst organisations that transacted with certified players, the CSA spokesperson said. He added that the Cybersecurity Labelling Scheme, which rated smart devices according to their levels of cybersecurity provisions, with Level 3 and 4 the highest two categories. He noted that products certified under the Singapore Common Criteria Scheme would have gone through binary analysis to identify known vulnerabilities in OSS. According to the Synopsys study, the Internet of Things (IoT) industry was amongst the highest user of open source, with 100% of codebases in the sector containing open source codes. However, 64% of IoT codebases were found to contain vulnerabilities. Martin noted that open source was never meant to compete with traditional proprietary code. “Today, many software developers and entities are looking to integrate open source with existing operating systems and applications,” he said. “This is different from incompatibilities that can occur due to differences in elements such as data formats. Ultimately, open source integration can happen so long as the development is there.”He added that even the most regulated industries, such as the public sector and financial institutions, were adopting the concept that open source was the best way to foster innovation, recruit, and retain the best talent, and future-proof a technology platform.RELATED COVERAGE More

StackCommerce The following content is brought to you by ZDNet partners. If you buy a product featured here, we may earn an affiliate commission or other compensation. Resumes and interview skills are important, but if you want a career in IT, you’re going to need to do more than just dress for the job you […] More

As you’ve discovered, the inconvenience associated with being the victim of credit card fraud is significant. Thankfully, for cardholders in the United States, protections in the Fair Credit Billing Act mean your actual losses are limited to $50, provided you notify the card issuer as soon as you become aware of any theft or unauthorized use. Most card issuers have fraud detection capabilities that will alert you immediately in the event of a suspicious transaction and protect you from any loss. One important caveat here: These fraud protections do not apply to debit cards, even if the card has the logo of a major credit card issuer. The Electronic Fund Transfer Act offers similar protections if you report an unauthorized transaction within 48 hours, but after that you’re on the hook for $500 in losses, and the limit vanishes completely if a fraud goes unreported for 60 days. (For details, see this FTC page: “Lost or Stolen Credit, ATM, and Debit Cards.” Even with those protections, there’s always a risk with any online transaction. How do you minimize your risk? Be vigilant about sites where you use your card. Make sure the page is secure and that the merchant is trustworthy. If you don’t recognize the merchant or the site seems suspicious, think twice before entering your card details. Avoid storing your card details unnecessarily. You can probably waive this precaution for top-tier merchants like Amazon and Apple, but it’s really not that inconvenient to re-enter a card number for smaller merchants that you do business with occasionally. (Obviously, you can’t avoid this for recurring payments.) Use Apple Pay, Google Pay, Samsung Pay, or other digital wallets whenever possible. Those systems use virtual account numbers tied to your device, which means in the event of compromise, your actual card number is not revealed. (For details on virtual card numbers, see these support documents from Google and Apple.) Create your own masked card. The free Privacy.com service, for example, lets you create virtual credit cards for specific merchants. You can assign per-transaction limits or set an overall maximum charge for one of these cards, making it impossible for an unscrupulous merchant to turn a small charge into a larger one without your consent. We’ve used this service and can recommend it enthusiastically.  More

Image: Getty While more companies are investing in beefing up their IT security, most cybersecurity practices are still reactive in their nature, relying on software tools to identify when a breach has happened – or been attempted – and then responding accordingly. But as cyberattacks continue to increase in frequency and sophistication, it is clear […] More

Image: Getty Images/Jetta Productions Inc Content distribution network (CDN) firm Cloudflare says the botnet behind the biggest distributed denial of service (DDoS) attacks it has recorded has targeted nearly 1,000 of its customers in the past few weeks.  The botnet – which Cloudflare calls Mantis and which is named after the small, razor-legged prawn – […] More

Engineer wearing a white helmet while standing in a heavy industrial factory. Getty Images/iStockphoto Critical infrastructure is increasingly targeted by cyber criminals – and while those responsible for running industrial networks know that securing operational technology (OT) and the Industrial Internet of Things (IIoT) is vital, they’re struggling, resulting in networks being left vulnerable to […] More

Singapore is looking to expand its cybersecurity labelling programme to include medical devices, specifically, those that handle sensitive data and can communicate with other systems. It also reiterates the need to safeguard operational technology (OT) systems and build up the necessary skillsets to do so. OT systems traditionally were designed as standalone infrastructures and not connected to external networks or the internet. The need for better efficiencies and functionalities, however, had driven the convergence of IT and OT systems. Remote monitoring and data sharing for insights, for instance, brought about more efficiencies, but these also came at a cost as they widened the attack surface, said David Koh, Singapore’s cybersecurity commissioner and chief executive of Cyber Security Agency (CSA).  Once in a safe air-gapped operating environment, OT systems now were open to potential cyber attacks and breaches could have real-world impact, noted Koh, who was speaking at ISC2’s Secure Singapore conference held Wednesday. To mitigate such threats, he underscored the need to build up the necessary skilsets to manage the convergence of IT and OT systems. With both sides traditionally run and managed separately, these teams now would need to understand how IT systems were deployed to support essential services, such as water and power plants. Such skillsets also should encompass knowledge of business processes and interdependencies that went beyond the technical aspects, he said. Zachary Tudor, associate laboratory director of Idaho National Laboratory’s National and Homeland Security, concurred, pointing to the need for managers who understood the security risks from the convergence of IT and OT. C-suite executives also needed to be educated about the business risks and consequences of the interdependencies between the two realms, said Tudor, who also is ISC2’s board chairperson. Koh said Singapore tweaked its cybersecurity strategy in recognition of the convergence, embedding an OT security masterplan that focused on bolstering processes, infrastructures, and talent to address potential risks. Its OT Cybersecurity Competency Framework provided guidelines of cybersecurity skills and technical competencies required for OT industry sectors, which included those in critical information infrastructure (CII) markets such as water, healthcare, maritime, and energy.CSA earlier this week unveiled a scholarship programme for up to 80 qualified candidates enrolled in the Singapore University of Technology and Design’s Master of Science in Security by Design. The initiative was part of the government’s efforts to drive OT cybersecurity skills development. Plans to expand labelling scheme to healthcareKoh also pointed to the need to help the general public make more informed choices with regards to security, in particular, in purchasing Internet of Things (IoT) devices. He noted that consumers would buy such products without much awareness because the device’s security posture typically was opaque, with little information provided, and the spotlight placed instead on its features and price. CSA launched a Cybersecurity Labelling Scheme (CLS) to address this and adoption had been better than expected, with a range of manufacturers expressing interest in participating in the voluntary programme, he said. First introduced for home routers, the initiative later was expanded to include all consumer IoT devices, such as smart lights and door locks. Koh revealed that plans now were underway to further expand the CLS to medical and healthcare devices. Security was critical here as such devices could affect one’s health and potentially result in personal injury, he said. According to a CSA document detailing the pilot CLS for medical devices, such devices would fall under the scheme if they handled sensitive data such as personal identifiable information and had the ability to “collect, store, process, or transfer data”. They also would be connected to other systems and services, with the ability to communicate using wired or wireless networks either autonomously or manually. Singapore in May announced plans to set up a SG$19.5 million ($13.99 million) centre to facilitate vulnerability assessment of software and hardware products, physical hardware attacks, and security measures. The centre would work with CSA and Singapore Accreditation Council to develop relevant accreditation programmes, including IT testing programmes that facilitated initiatives such as CLS.According to CSA, as of end-April, more than 200 products had been submitted for labelling under the programme. Koh added that countries such as Germany, Australia, the US, and the UK had approached Singapore to establish mutual recognition of similar labelling and certification schemes in the respective global markets. Such bilateral recognition would reduce the need for duplicated testing, he said.Singapore and Finland last October inked an agreement to do so for each country’s IoT cybersecurity labels.RELATED COVERAGE More

Image: Zephyr_p/Shutterstock Companies are getting hacked now more than ever. According to one analysis, almost half (45%) of US companies suffered a data breach within the past year. “It’s not a matter of if you’re going to be attacked – it’s just when, and what is the next one,” Matthew Davis, the president of GDI […] More