Manage Learn to apply best practices and optimize your operations.

Open source Web apps: Spotting security flaws

Don't assume that your open source Web apps are secure. Expert Kevin Beaver explains the common vulnerabilities and how to include these systems in your security testing.

It wasn't that long ago when open source Web software was found only in niche areas of the enterprise. Today, there's hardly a network segment that doesn't have numerous open source-based Web systems running. From network infrastructure devices to storage systems to enterprise applications out in the cloud, it's safe to say that the fingerprints of open source Web apps are present in some capacity in every business.

With the pervasiveness of open source Web apps in the enterprise, it's surprising that more attention is not being paid to finding the flaws and keeping the systems in check. The open source movement has its share of bias toward it -- not unlike the support for certain operating systems over the years, such as Novell NetWare and Mac OS X. The proclamations have been: open source is, well, open source, and therefore it's secure. The presumption is that since the source code is available, it means that everyone has scrutinized it and already resolved its flaws, making it resilient against attacks. The modus operandi here is bystander apathy, where people sit around assuming someone else is taking care of things.

Obviously, trusting that all is well with security because someone else is in charge is not a good long-term information risk management strategy. If anything, what's been seen with the security issues surrounding SSL and all its Web-based open source tie-ins should be example enough that open source is not without its security challenges. But there's more -- a recent study from Web application security vulnerability scanner vendor, Netsparker, found numerous security holes in open source Web apps that so many enterprises trust and depend on. Since 2011, the company has scanned 396 open source Web apps and has identified 269 vulnerabilities, including cross-site scripting (180), file inclusion (16) and SQL injection (55).

I'm often skeptical of such vendor-based research, but I'm seeing these very things myself in my work performing Web application vulnerability and penetration testing. In fact, the majority of the flaws, especially the more critical ones, are found on open source platforms. It's more than just what Web vulnerability scanners uncover. I've found that scanners only find about half of all Web vulnerabilities. The other half are uncovered via a good, old-fashioned Web browser. Such findings go beyond traditional Web security issues to include things that impact every application such as password policies and enforcement, business logic weaknesses and the like.

Don't blindly trust that open source Web apps are secure from attack just because they’re "free" or running on seemingly noncritical systems. Enterprises should not only include these systems in their ongoing security testing, but they might also consider performing static source code analysis using a commercial tool such as Checkmarx or even an open source tool such as Brakeman. Making open source software part of your enterprise's ongoing patch management program is critical. Enterprises should integrate their open source applications into their system monitoring and alerting, as well as their overall incident response procedures. The important thing is to keep open source systems high on the radar and never let them out of sight. It's "trust but verify" at its finest.

Next Steps

Learn more about open source security testing tools for Web applications

Find out why Web application security may be lacking

Read about open source project OpenStack's niche deployments

This was last published in May 2016

Dig Deeper on Open source security tools and software