New research claims hackers have been targeting Microsoft's .NET recently, and the reason may be due to the software...
becoming open source.
According to Trend Micro Inc. threat analyst Jay Yaneza, the combination of more developers using .NET in applications and the ease by which hackers can find vulnerabilities in open source software has led to a boom in point-of-sale (POS) malware targeting Microsoft's .NET software.
Microsoft first made .NET software open source in November of 2014, and Chase Cunningham, Ph.D., threat intelligence lead at FireHost Inc., said it is natural that hackers have targeted the software since then.
"Any time something is put out in the open net for all to share and use, it will be ripped apart and re-engineered, as well," Cunningham said. "And in the cyber realm, typically, this means flaws will be found and often exploited. The more popular the tool or software, the more likely it is to be targeted or used for purposes outside of its actual intended use."
Various experts echoed Cunningham's sentiment, saying that it may not be a matter of open source software inherently being less secure, but that more ubiquitous software is, the more it will be targeted -- and .NET is a very popular piece of software.
Chase Cunningham, Ph.D.threat intelligence lead at FireHost Inc.
"Windows is a popular operating system and the .NET runtime has been bundled with the operating system since Windows Server 2003," said Garve Hays, solutions architect at NetIQ Corp. ".NET is an easily accessible development environment and makes a tempting target for perpetrators to increase their numbers."
However, .NET is in a precarious position because it has been around long enough to become popular, but it has only been open source a short time. Robert Hansen, vice president of security at WhiteHat Labs, noted that all open source software will have security issues at first.
"It takes time for code to stabilize and start seeing fewer issues once there is a new set of eyes on it. Also, it takes time to build a community of contributors that wants to devote the time to auditing the code," Hansen said. "That doesn't happen instantly and it requires dedication by a passionate group of people, or companies with vested interest. Until that happens, it will primarily be adversaries who are interested in the code, because they know they can make money."
Building that invested community of contributors can be difficult, Hansen said, because you need to find enough people with enough free time to sufficiently audit the code and submit back to the project.
Hays said that attracting contributors isn't always enough because open source security relies on both quality contributions and proper handling of "pull requests," which is when a developer asks for changes committed to an external repository of an open source project to be considered for inclusion in the project's main repository.
"Committers typically only accept pull requests from credible contributors that have proven their capability and trustworthiness over time," Hays said. "Organizations that do not handle pull requests in such a manner need to get back to basics."
It takes time for this process to be ironed out, so Cunningham suggested that enterprises be wary of using open source projects and urged vigilance in terms of patching.
"Pandora's box opens quickly. Patch management is hard enough for any enterprise to do at scale and, honestly, it's pretty atrocious across the industry," Cunningham said. "Trying to push patches for open source items is a near impossibility. Most companies can't or won't patch what they pay for, much less something that is free."
Hansen agreed that waiting for an open source project to stabilize is ideal, noting that "it's best if you can be the second one in the pool." However, Hansen was optimistic that .NET will come out of this safer in the end.
"I don't blame Microsoft for this; it's just the nature of opening the kimono. Of course, people will find bugs, but if you think about it, that's actually a good thing long term," Hansen said. "The fewer bugs in the code, the better it can be. Of course, the short-term is painful, but the best think for the ecosystem is to shine a very bright light on any issues that may have been lurking in systems for years."
Learn more about application security in the age of open source