With Open Source, There’s no “Patch Tuesday”

With Open Source, There’s no “Patch Tuesday”

The recent disclosure of new vulnerabilities in Joomla highlights the attractiveness to hackers of vulnerabilities in popular open source projects. Open source has characteristics that make it a compelling target for several reasons:

  • Open source software, such as Joomla, is widely used by organizations across multiple vertical markets. From an attacker’s point of view, vulnerabilities in Joomla represent a target-rich environment.
  • Vulnerabilities such as this are publicly disclosed, and therefore provide attackers with targets and, often, exploits. As seen in the CSO article, the response time from attackers is quick; they recognize and attempt to exploit a window of opportunity prior to users upgrading to a patched version of Joomla.
  • This urgency is understandable, but not always required for attackers to succeed. Because open source typically has a “pull” support model (users are required to monitor open source projects for updates, as opposed to the “push” model in commercial software), many organizations will not be aware of the vulnerability, or prioritize upgrading their Joomla sites. In most cases, vulnerabilities in open source remain exploitable for months. Verizon’s 2015 Data Breach Investigation Report found that "99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published."

Learn Your 4 Options for Vulnerability Remediation

Unlike a closed source application such as those built by Microsoft, there's no Patch Tuesday sending out push updates for security vulnerabilities, putting responsibility for updating components on users.  

What can we do? The first step is to understand what open source applications and components are used in our environments. Next, we need to understand the “hygiene” of those components in terms of reported vulnerabilities. Finally, recognizing the “pull” support model of open source, we need to continuously monitor the threat environment for new vulnerabilities, and map those to the open source we use.

Open source adds tremendous value to organizations. However, it pays to be conscious of the risk it can pose, and take appropriate steps to mitigate that risk.

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


HIPAA Compliance for the Software You Build

| Jul 11, 2017

Attacks on electronic health records (EHRs), ransomware blocking access to treatment in the UK’s National Health System, and vulnerabilities in medical devices have all been in the news recently. Settlements and penalties for HIPAA violations are becoming more common as well. For software and

| MORE >

6 Recommendations for Healthcare Cybersecurity

| Jun 12, 2017

Early last year, in response to the Cybersecurity Act of 2015, the US Department of Health and Human Services (HHS) established The Health Care Industry Cybersecurity Task Force. This month the task force published its recommendations to improve healthcare cybersecurity. While non-binding

| MORE >

Are Medical Devices the Next Ransomware Target?

| Jun 5, 2017

Hacker News’ top story today was on vulnerabilities found in implantable pacemakers. It’s a troubling thought, particularly in conjunction with the recent (and preventable) ransomware attacks. What would you pay to unlock your pacemaker? Is it a real risk?  Fans of Showtime’s Homeland would tell

| MORE >