Open Source Security

Tools and techniques to help you manage security risks in third-party components.

Using Open Source

Modern software projects are increasingly dependent on open source software, from operating systems through to user interface widgets, from back-end data analysis to front-end graphics. Open source software has led to some amazing benefits, but they are sometimes accompanied by security risks that must be understood and managed. For the most part, these risks can apply when using any third-party software component, whether open source or commercial.

Learn about Microsoft’s approach for mitigating security risk when using Open Source Software:

Who Wants a Thousand Free Puppies? Managing Open Source Security in the Enterprise. (Presented at LocoMocoSec 2019)

Benefits of Open Source and Practices for Reducing Risk

Benefits of Open Source

There are many benefits to using open source software as part of your development process, a few of which include:
- Increased time to market. Create software faster by connecting existing components together, rather than implementing them all from the ground up.
- Higher quality. All software components may contain defects, but focused effort on specialized software components often results in higher quality than having many engineers solving the same problems many times in isolation.
- Community. By contributing new features, reporting bugs, or in general interacting with the open source projects used, you're sharing in both the costs and benefits of the code base.
At Microsoft, we recognize the benefits of using open source responsibly when developing products and services and encourage our customers and the larger technology community to do the same.
Security Risks of Open Source

Open source, like any software, can contain security defects, which can become manifest as vulnerabilities in the software systems that use them. Since source code is generally available for open source components, it can often be easier for security researchers to identify new vulnerabilities, and while most researchers will follow responsible disclosure methods when reporting issues to the maintainer, there is a risk that some vulnerabilities will become weaponized and used to attack systems that use them.

Exacerbating this, open source components are generally released as needed, often with little to no advance notice to the user community, so when a vulnerability is fixed and a new release is published, there is often a lag until users can upgrade to the new version; this lag can give adversaries time to create and launch an exploit. As a result, it's very important to update open source components in a timely manner, especially when they contain security fixes.
Thinking about Open Source

Software organizations typically interact with the open source community in a few different ways:
- Use—integrating open source components within an application.
- Distribute—Releasing an application or component under an open source license.
- Collaborate—accepting external contributions (for example via pull requests) to distributed open source components.
- Contribute—Submitting patches or pull requests to external open source components.
The first item, “use”, presents the clearest security risk to most organizations due to how vulnerabilities in those components can affect the security of the systems that use them.

Practices

Here are the minimum steps you must take to properly manage this risk.

Inventory Open Source

Understand which open source components are in use and where.

Learn more

Perform Security Analysis

Ensure all identified components are free of security vulnerabilities.

Learn more

Keep Open Source Up to Date

Keep open source components up to date.

Learn more

Align Security Response process

Prepare an approach that aligns with your overall security response plan.

Learn more

Practice #1—Inventory Open Source

The first step of properly managing the use of open source software components is to understand which components are in use. Even in small organizations, this usually requires automation. Fortunately, modern agile development practices already rely heavily on automated tooling, and so are easily adapted to include capabilities in this area.

There are many tools available in this space, including open source tools like NPM Audit and OWASP Dependency Check, and commercial services like GreenKeeper, Snyk, and WhiteSource Bolt, among many others. We aren't specifically endorsing any specific tool or service here, as they each have different strengths and weaknesses; perform a thorough evaluation before deciding on an inventory solution.

Inventory generation should take place at a natural point in your development lifecycle, such as during pull-request validation or branch merging, with the inventory results being stored centrally and accessible to appropriate personnel (including your security response team). Be sure to include enough metadata in the inventory to identify the application, source repository, version/commit, and other details from which the inventory was derived.

Practice #2—Perform Security Analysis

All identified components should be validated to ensure they are free of security vulnerabilities, to the level of fidelity required by your organization. For example, in increasing order of both cost and fidelity, consider the following activities:

Check for public vulnerabilities—ensure the open source components do not contain publicly-known vulnerabilities, such as those with reported CVEs or with vulnerabilities described in other public resources.
Use commercial security intelligence—use additional vulnerability data sources (such as from data vendors) to augment the public vulnerability data.
Perform static analysis—use static analysis tools to validate that the open source components do not contain unreported security vulnerabilities. Report any newly-identified vulnerabilities to the open source project's author so it can be remediated.
Perform comprehensive security reviews—in addition to the prior points, perform a comprehensive security review of the open source component.

Most of the open source inventory tools described above provide alerting capabilities for public vulnerabilities, with the commercial solutions potentially offering additional security information.

Public Vulnerabilities Commercial Security Intelligence In-House SAST Analysis Comprehensive Security Audits

All organizations that use open source should have a strategy for responding when new vulnerabilities are disclosed. This often takes the form of monitoring the National Vulnerability Database for new information, or using tools built into a package manager (such as NPM Audit). While these certainly provide value, there are a few reasons why organizations shouldn't stop here:

There is no requirement for an open source project to report vulnerabilities up centrally. Details may exist in a GitHub issue, change log, or commit message, but would not be easily discoverable.
The vulnerability may have been found by an attacker, or a security researcher that is unwilling to publicly disclose the issue.
The project author fixing a bug may be unaware that it's actually a vulnerability, and so has no reason to report it.

Commercial security intelligence sources augment public vulnerability data with additional information, and while the details vary by vendor, they generally include things like:

Higher-fidelity vulnerability data – which versions of a component are affected, and to what extent?
Dependency information – which components are affected because they depend on a vulnerable component?
Mitigation guidance – if upgrading to a new version isn't viable, can the risk be otherwise mitigated?

Capabilities vary widely here; we strongly encourage you to do your own research and select a vendor that can help you mitigate the risks that you believe will affect you.

Since open source components, by definition, have source code available, it's feasible to use security tools, such as static analysis, to identify new vulnerabilities. This can significantly improve your understanding of the security posture of an open source component, often resulting in newly-identified security vulnerabilities (which we strongly encourage you to report back to the open source project to be fixed).

Like the commercial data vendors, the capabilities of static analysis tools vary widely, and you should select one (or more) that fit both the technology stacks commonly in use and your preferred software development methodology. In general, we recommend adding static analysis capabilities to multiple points in your software development lifecycle (for example, an IDE-based tool like Roslyn or DevSkim as well as a more comprehensive static analysis tool as part of a CI/CD pipeline).

Review SDL Practice #9 for more information on static analysis tools.

A comprehensive security audit of an open source component can provide the highest level of assurance that the component is highly secure. Such an audit should include multiple areas, including:

Project Health. Is the component still maintained? Does it have a history of security vulnerabilities? Does the author release security fixes in a timely manner?
Public Vulnerabilities. Are there publicly-known vulnerabilities, either explicitly (for example, CVEs) or discoverable in the project’s issues list?
Static Analysis. Run high-quality static analysis tools to identify potential security vulnerabilities.
Dynamic Analysis. For certain types of components, perform active testing (such as web-based “black-box” testing, fuzzing.)
Secure Configuration. Understand whether there are security-sensitive configuration settings that should be enabled when using the component.
Code Review. Use the static analysis results to perform a directed code review, looking for security vulnerabilities. If any are found, build additional static analysis rules to catch the vulnerability next time.

Once this work is complete, document the findings for other teams in your organization to leverage. If any new security vulnerabilities were found, work with your security response team to inform the open source authors and if possible, suggest a fix.

Practice #3—Keep Open Source Up to Date

One of the most effective ways to manage security risk related to the use of open source is to keep components up to date, even in the absence of known vulnerabilities. This can be a security benefit because security vulnerabilities are often fixed without explicit public disclosure, and while the engineering cost of doing this isn’t free, benefits extend beyond security (such as engineering agility, taking advantage of new features and bug fixes).

Practice #4—Align Security Response Processes

When a vulnerability is found or reported in an open source component, you should have a strategy for managing the process, which should align directly with your organization’s overall security response plan. At Microsoft, we use the Microsoft Security Response Center to coordinate response activities related to vulnerabilities in open source components.

Review SDL practice #12 Establish a Standard Incident Response Process

Open Source Security

Using Open Source

Benefits of Open Source

Security Risks of Open Source

Thinking about Open Source

Inventory Open Source

Perform Security Analysis

Keep Open Source Up to Date

Align Security Response process

Practice #1—Inventory Open Source

Practice #2—Perform Security Analysis

Practice #3—Keep Open Source Up to Date

Practice #4—Align Security Response Processes