With Open Source, There’s no “Patch Tuesday”

With Open Source, There’s no “Patch Tuesday”

The recent disclosure of new vulnerabilities in Joomla highlights the attractiveness to hackers of vulnerabilities in popular open source projects. Open source has characteristics that make it a compelling target for several reasons:

  • Open source software, such as Joomla, is widely used by organizations across multiple vertical markets. From an attacker’s point of view, vulnerabilities in Joomla represent a target-rich environment.
  • Vulnerabilities such as this are publicly disclosed, and therefore provide attackers with targets and, often, exploits. As seen in the CSO article, the response time from attackers is quick; they recognize and attempt to exploit a window of opportunity prior to users upgrading to a patched version of Joomla.
  • This urgency is understandable, but not always required for attackers to succeed. Because open source typically has a “pull” support model (users are required to monitor open source projects for updates, as opposed to the “push” model in commercial software), many organizations will not be aware of the vulnerability, or prioritize upgrading their Joomla sites. In most cases, vulnerabilities in open source remain exploitable for months. Verizon’s 2015 Data Breach Investigation Report found that "99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published."

Learn Your 4 Options for Vulnerability Remediation

Unlike a closed source application such as those built by Microsoft, there's no Patch Tuesday sending out push updates for security vulnerabilities, putting responsibility for updating components on users.  

What can we do? The first step is to understand what open source applications and components are used in our environments. Next, we need to understand the “hygiene” of those components in terms of reported vulnerabilities. Finally, recognizing the “pull” support model of open source, we need to continuously monitor the threat environment for new vulnerabilities, and map those to the open source we use.

Open source adds tremendous value to organizations. However, it pays to be conscious of the risk it can pose, and take appropriate steps to mitigate that risk.

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Hustling and Hacking Lessons from Paul Newman

| Oct 18, 2017

Was Equifax First Hit with a Non-Targeted Attack? The details of the Equifax breach will unfold slowly over the next several weeks and months. One interesting detail came out recently when the company reported that “an actor interacted with our server on March 10, 2017.” That’s four days after the

| MORE >

Nessus, Qualys, Metasploit for Struts Vulnerabilities?

| Sep 26, 2017

The Equifax breach has brought Remote Code Execution (RCE) vulnerabilities in Struts into the spotlight. Nobody wants to be the “next Equifax,” much less the company leadership “retiring” or answering questions from Congress. Right now, a lot of security people are running around with their hair

| MORE >

Now It’s Personal – 4 Takeaways From the Equifax Breach

| Sep 18, 2017

If you’re reading this, you have no doubt heard that personal information, including social security numbers, was stolen from Equifax – one of the Big 3 credit reporting agencies. From an industry standpoint, here’s a quick takeaway. Wait – For Once It Could Affect Me? For a lot of breaches, the

| MORE >