Manage Learn to apply best practices and optimize your operations.

Open source Web apps: Spotting security flaws

Don't assume that your open source Web apps are secure. Expert Kevin Beaver explains the common vulnerabilities and how to include these systems in your security testing.

It wasn't that long ago when open source Web software was found only in niche areas of the enterprise. Today, there's...

hardly a network segment that doesn't have numerous open source-based Web systems running. From network infrastructure devices to storage systems to enterprise applications out in the cloud, it's safe to say that the fingerprints of open source Web apps are present in some capacity in every business.

With the pervasiveness of open source Web apps in the enterprise, it's surprising that more attention is not being paid to finding the flaws and keeping the systems in check. The open source movement has its share of bias toward it -- not unlike the support for certain operating systems over the years, such as Novell NetWare and Mac OS X. The proclamations have been: open source is, well, open source, and therefore it's secure. The presumption is that since the source code is available, it means that everyone has scrutinized it and already resolved its flaws, making it resilient against attacks. The modus operandi here is bystander apathy, where people sit around assuming someone else is taking care of things.

Obviously, trusting that all is well with security because someone else is in charge is not a good long-term information risk management strategy. If anything, what's been seen with the security issues surrounding SSL and all its Web-based open source tie-ins should be example enough that open source is not without its security challenges. But there's more -- a recent study from Web application security vulnerability scanner vendor, Netsparker, found numerous security holes in open source Web apps that so many enterprises trust and depend on. Since 2011, the company has scanned 396 open source Web apps and has identified 269 vulnerabilities, including cross-site scripting (180), file inclusion (16) and SQL injection (55).

I'm often skeptical of such vendor-based research, but I'm seeing these very things myself in my work performing Web application vulnerability and penetration testing. In fact, the majority of the flaws, especially the more critical ones, are found on open source platforms. It's more than just what Web vulnerability scanners uncover. I've found that scanners only find about half of all Web vulnerabilities. The other half are uncovered via a good, old-fashioned Web browser. Such findings go beyond traditional Web security issues to include things that impact every application such as password policies and enforcement, business logic weaknesses and the like.

Don't blindly trust that open source Web apps are secure from attack just because they’re "free" or running on seemingly noncritical systems. Enterprises should not only include these systems in their ongoing security testing, but they might also consider performing static source code analysis using a commercial tool such as Checkmarx or even an open source tool such as Brakeman. Making open source software part of your enterprise's ongoing patch management program is critical. Enterprises should integrate their open source applications into their system monitoring and alerting, as well as their overall incident response procedures. The important thing is to keep open source systems high on the radar and never let them out of sight. It's "trust but verify" at its finest.

Next Steps

Learn more about open source security testing tools for Web applications

Find out why Web application security may be lacking

Read about open source project OpenStack's niche deployments

This was last published in May 2016

Dig Deeper on Open source security tools and software

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your organization maintain open source web application security?
Cancel
Unfortunately, in my observations the organizations rely too much on automatic scanners while being superficial analyzing the results. Scanners typically report a lot of potential weaknesses but someone with a testing skills should investigate them, and see what damage can be caused.
Cancel
Open source Web apps are no more secure than in-house built due to the weaknesses in the technology stack used by both. However, there are weaknesses and there are loopholes. Just because some field might be affected by a SQL injection doesn't mean that there will be any impact, if this field is never used in a certain way, that activates the injected code.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close