DZone
Security Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Security Zone > You're Using Unsafe Open Source Libraries

You're Using Unsafe Open Source Libraries

Most if not all devs use open-source code in their development projects. But recently the need to scan these libraries for bugs has become abundantly clear.

Tomer Shay (Shimshi) user avatar by
Tomer Shay (Shimshi)
·
Jun. 16, 17 · Security Zone · News
Like (6)
Save
Tweet
5.13K Views

Join the DZone community and get the full member experience.

Join For Free

It's only been six months since Google released the beta of their new tool OSS-Fuzz, and it's already proving to be an amazing tool, both for open-source application developers and the communities that are using and supporting them.

OSS-Fuzz's goal is to to make common software infrastructure more secure and stable. Google initiated this effort of putting all the common infrastructure open-source libraries under the same security umbrella, while executing regular fuzz tests on them.

A fuzz test is a software testing technique used to discover security vulnerabilities and coding errors that may lead to an attack that can compromise sensitive data or deny a service. Simply put, fuzzing is actually sending a lot of different data to an application or a library, with the goal of trying to crash it or awake some kind of bug. For example, sending "1125$$@12%!zz" as an input to an application instead of a person's first name, might result in an application crash if the inputs were not validated properly on the application's side.

In the last few months, Google's OSS-Fuzz scanned dozens of popular libraries looking for these sort of bugs. Well, it didn't come back empty handed. It discovered close to 1,000 bugs, while hundreds of them are high risk security vulnerabilities, memory issues, and other threatening vulnerabilities.

As examples, these are the bug counts found for these popular open sources:

FreeType2: 10 bugs

FFmpeg: 17 bugs

LibreOffice: 33 bugs

SQLite: 8 bugs

Wireshark: 7 bugs

And the list goes on (with libxml2, libpng, lcms, JSON, and others included in the list).

The important part to understand here is actually not the fact that OSS-Fuzz found some bugs in some open-source libraries. It's actually the part that impacts you, as a developer, as a manager in a tech company that produces products that are relying on this critical open-source infrastructure to function. That actually means that once they contain a bug, your software contains a bug, and your customers are potentially exposed to those security loopholes.

So what can you do? First, start tracking those bugs and make sure they are resolved or at least not threatening to your customers.

Also, keep track of the open-source code on OSS-Fuzz's list, as it will be updated once in awhile with new open-sources code, and you might be using some of them.

Summary

When using open source libraries, you can't assume you are safe. Those libraries are written by programmers just like you and me, which make daily mistakes, just like you and me.

Therefore, you need to keep an eye (or maybe two eyes) on the security status of these libraries, before integration, and especially after integrating and releasing them as part of your production products.

Keep it safe (and simple)!

Open source Library

Published at DZone with permission of Tomer Shay (Shimshi), DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • How to Optimize MySQL Queries for Speed and Performance
  • Role of Development Team in an Agile Environment
  • Enough Already With ‘Event Streaming’
  • Choosing Between REST and GraphQL

Comments

Security Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo