“Release notes are a good place to provide details about a vulnerability, but a poor choice for notifying users about it”
Snyk‘s latest report titled The State of Open Source Security emphasized the importance of the overall security of open source. We’ve previously suggested that you should be mindful about where your code is coming from but this doesn’t mean you shouldn’t use open source code. We talked with Guy Podjarny, CEO and co-founder of Snyk about all this and more.
JAXenter: According to the latest State of Open Source Security report, 75 percent of vulnerabilities are not discovered by the maintainer and nearly 80 percent of maintainers claim they have no public-facing disclosure policy in place. What does this mean? What are the consequences of not having a public-facing disclosure policy in place?
Guy Podjarny: Our data showed OSS maintainers lack security expertise and rarely audit their code, and so it’s not surprising most vulnerabilities are discovered by someone external to the project. This makes the fact few projects have a public-facing disclosure policy especially troubling. Without a clear disclosure policy, researchers are more likely to simply disclose the issue publicly (before a fix is available), or not report it at all.
JAXenter: Once a vulnerability has been addressed, users must be informed as soon as possible so they know what steps to take to secure their applications. Almost 90 percent of authors inform users via release notes, 34 percent choose to deprecate the version and 25 percent don’t tell users about security issues. How do you feel about the fact that almost 90 percent choose release notes to notify users of vulnerabilities?
Guy Podjarny: Release notes are a good place to provide details about a vulnerability, but a poor choice for notifying users about it. A typical developer consumes hundreds of frequently updated libraries, and can only cope with reviewing the release notes of a select few. Notifications need to be proactive, highlighting precisely the cases where there’s an urgent need to upgrade – or at least review the details. Deprecating versions and notifying alerting services like Snyk (who would be monitoring those release notes as well) is a far better notification vehicle.
JAXenter: In your view, should vulnerabilities be posted publicly?
Guy Podjarny: Vulnerabilities shouldn’t be posted publicly until a fix is available, implying they need to go through a private disclosure process first. The moment a vulnerability becomes public, the risk of it being exploited increases dramatically, and the lack of a fix gives attackers unnecessary extra time to do so. Of course, if the maintainer doesn’t respond to a private disclosure it should be made public within a reasonable amount of time, a process called Responsible Disclosure.
JAXenter: When asked how they keep dependencies up to date, 47 percent of users said they occasionally do a sweep to bump versions while 42 percent use tools to alert them to vulnerable dependencies. However, 16 percent don’t update — how do you feel about these findings? What are the risks of choosing not to update?
Guy Podjarny: Updating dependencies is an exercise in risk management. Using a new version means change, and may inadvertently introduce bugs in the application, hence creating a risk, while not updating delays bug fixes, performance improvements and – most importantly – vulnerability fixes. A disclosed vulnerability changes the risk equation dramatically, and so the key to success is to make sure you’re well informed about them, and ready to act.
JAXenter: What is the value of open source? How about its challenges?
Guy Podjarny: Open source lets organizations tap into the incredible wealth of knowledge and resources of the community as a whole—something no single organization can achieve – dramatically boosting their productivity. Its primary challenge is one of ownership. OSS maintainers are providing value for free, and work hard to make time and get funding to continue doing so. OSS consumers, however, consume these projects in large quantities, treating them as off the shelf software without accepting responsibility for keeping them secure.
JAXenter: A few years ago, Michael Skok, founding partner at Underscore VC and EIR at Harvard Business School published an article titled Open Source is Eating the Software World. Do you agree with his statement? Is open source eating the world?
Guy Podjarny: It is. Both Gartner and Forrester have stated that between 80-90% of commercial software developers use open-source components. Open-source is used by organizations all over the world, from every vertical imaginable. If you’re not using open-source technology in some way today, you have to reinvent what the world has already created, and certainly falling behind.
JAXenter: With everything that’s happening and all the security issues, how much is too much open source? How important is it to know exactly where your code is from?
Guy Podjarny: I don’t think it’s a case of “too much” open source. The benefits of open source are too many and too great for us to ignore. But it’s important to understand that you need to take its security seriously. You’re inheriting not just the code, but all the risks as well. You need to put in place the tools and processes to flag and address security flaws in open source code to make sure your application, and your users, are kept safe.
To read more about open source, download the latest issue of JAX Magazine:
Open source skills are a boost for career prospects — if you don’t believe it, it’s time to bring out the big guns.
We invited the Eclipse Foundation, The Apache Software Foundation, Cloud Foundry, Red Hat, Hyperledger and more to show you why open source is important. You’ll surely learn a lot from their experiences!
But don’t take my word for it! Open the magazine and allow their passion to “infect” you.