Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

The Open-Source Vulnerability that Keeps on Giving (and Taking)

DZone's Guide to

The Open-Source Vulnerability that Keeps on Giving (and Taking)

Thought Heartbleed was old news, restricted to the annals of malware history? Most did. But this intrepid zero-day has made a recent comeback.

· Security Zone
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

Disclosed in April 2014, Heartbleed is the vulnerability gift that keeps on giving to some -- and taking away from others. The latest example of this dynamic vulnerability surfaced recently when ICO, the UK's data regulator, levied a £100,000 fine against the Gloucester City Council for poor hygiene which resulted in the theft of employees' personal information.

According to this article, the hackers took advantage of a software flaw in Gloucester City Council's website to download more than 30,000 emails from the council's mailboxes which contained financial and sensitive information about council staff.

ICO stated the hacker exploited the Heartbleed security bug within OpenSSL. But here's the problem for Gloucester City Council, a fixed version of OpenSSL was released on April 7, 2014, on the same day Heartbleed was publicly disclosed. The implication is that Gloucester and their IT outsourcing partner did nothing for months to patch the vulnerability -- even though a fix was readily available. Thus Heartbleed is taking £100,000 from the council more than 3 years after the fact.

iStock-506009064.jpg

ICO's report found that the council and it's IT outsourcing partner were guilty of "serious oversight" which left staff's emails open to attack months after Heartbleed had been disclosed and patched. ICO's investigation found the council did not have sufficient protocols to ensure that defective components are found and fixed as soon as possible whenever a zero-day vulnerability is announced. Heartbleed, as a result, is giving £100,000 to ICO coffers.

Companies today face tremendous pressure to innovate faster. Thus, demand for open-source components is growing exponentially. In the Java ecosystem alone developers requested 17 billion components from the Central Repository in 2014, 31 billion in 2015, and 52 billion in 2016. Demand for JavaScript components is even stronger. In 2016, developers requested 59 billion components from the npm registry -- a 262% year-over-year growth.

Truth be told -- open-source software components form the foundation for 80 - 90% of every modern software application. So, in order to prevent another zero-day vulnerability like Heartbleed from wreaking havoc, enterprises are embracing new types of tools to automate open source governance and actively managing how components flow through their software supply chains.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Topics:
security ,heartbleed ,zero day vulnerability ,open source

Published at DZone with permission of Matt Howard, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}