In this comprehensive exploration, we journey through the evolving landscape of product security for Product Owners. As technology advances at an unprecedented pace, we unravel the challenges and opportunities that come with open-source software. From understanding the risks associated with open-source vulnerabilities to deploying robust strategies in the development process, our mission is to equip Product Owners with the knowledge and tools to safeguard their creations. Join us as we unveil the intricate world of product security, offering insights and solutions to ensure the integrity of your digital innovations.
As technology evolves at a breakneck pace, so do the challenges that product owners face in safeguarding their creations. In this ongoing series, we delve into the intricate world of product security, illuminating the strategies and insights every Product Owner should possess. In our inaugural article, we ventured into the realm of threat analysis and the STRIDE method. Now, in this installment, we’ll touch on open-source vulnerabilities, ways to detect potential risks, and using checks in the build process to avoid releasing vulnerable code.
Using open-source software in commercial products can offer numerous benefits, such as cost and time savings through readily available code, and access to a vibrant developer community, but it also comes with several risks that businesses should carefully consider. These can include:
Open-source software is often released under specific licenses and failing to comply with the requirements of then can lead to legal issues.
Open-source components can contain security vulnerabilities that may not receive immediate attention or updates.
Managing dependencies from multiple open-source libraries and frameworks can be complex and time-consuming.
The quality and reliability of open-source code can vary widely.
You may not always receive timely assistance for your specific needs.
Integrating open-source components may require additional effort and could introduce compatibility issues.
Utilising heavily on open-source components can lead to becoming overly reliant on a particular project or service provider.
Documentation and Training
Open-source software often lacks comprehensive documentation and training resources
Looking more deeply into Security Vulnerabilities, then one of the more talked about attack vectors currently is called supply chain hacking (1). This is where attackers compromise open-source software by injecting malicious code into popular libraries or repositories. This can result in hostile actors targeting and compromising a trusted supplier or service provider to gain unauthorized access or control over a target organization's systems or data. These attacks exploit the trust established between organizations and their suppliers. This can go unnoticed for extended periods and impact many downstream products, products, or services.
This type of attack can be conducted several ways, firstly via “typosquatting” which is a method that relies on people misspelling a package name and consequently downloading malicious code. The attack in the linked article exploited “dependency confusion” (2) and did not need the victim to perform any action.
The chief concern with open-source components is that they can contain security vulnerabilities that may not receive immediate updates. Integrating outdated or poorly maintained open-source code can expose your commercial software to security risks and potential breaches. Vulnerabilities in an inactive project may mean no fix is ever released and potentially you’ll not even receive a notification of the exposure.
Another concern is that you might not even be aware that open-source software is used within your codebase. Via indirect dependencies you might use components inadvertently through other dependencies. These indirect dependencies can make it challenging to track vulnerabilities in a comprehensive manner. If you've made custom modifications to open-source code in your project, you might not receive automatic updates and might not be aware of vulnerabilities in the original codebase.
One technique to alleviate the risk in open-source software is to use dependency tracking software, also known as dependency management tools or dependency scanners. These help product owners, developers and organizations manage and monitor the dependencies in their software projects, including open-source libraries and components. These tools can be invaluable in identifying and addressing open-source vulnerabilities.
Essentially these tools have three main functions, they identify dependencies by automatically detecting and listing all the third-party libraries and components that your software relies on, including open-source ones. From this its then possible to look at the versions of each dependency used in your project, products, products, or services, ensuring you are aware and able to manage what is currently in use. Once the dependency and version are known then it’s possible to perform vulnerability scanning. Many of these dependency tracking tools integrate with databases of known vulnerabilities (3), such as the National Vulnerability Database (NVD) or within the programming language ecosystems where known issues with SQL injection or deployment failures are listed.
As a product owner you can utilize a dependency tracking software tool in your development process to assist you with risk assessment, as the tools will categorize each vulnerability found by severity, helping you prioritize which issues to address first.
By incorporating dependency tracking software into your continuous integration/continuous deployment (CI/CD) pipeline you can set it up so that it repeatedly scans the codebase for risks and fails the build process when known vulnerabilities over a set threshold are found. This failed build will need to be addressed before it can be merged and promoted.
However, in defiance of open-source software a Product Owner can benefit hugely from the community, via:
Open-source software is typically free to use, which can significantly reduce development costs, especially for startups and small businesses.
Leveraging active communities of developers and users can lead to faster development, bug fixes, and enhancements through collaborative efforts.
Open-source components can accelerate the development process by providing pre-built, tested, and well-documented code.
Open-source software is transparent and promotes trust by allowing developers to verify that there are no hidden vulnerabilities or backdoors.
Open-source code can be modified and customized to meet specific business requirements.
No Vendor Lock-In
You are not tied to a single vendor or provider when using open-source software, giving you more control and flexibility over your technology stack.
Active open-source software can be more secure because many eyes are reviewing and testing the code, thus vulnerabilities are often discovered and addressed more quickly.
Supporting and using open-source software aligns with ethical principles of transparency, collaboration, and the sharing of knowledge and resources
Contributing to or sponsoring open-source projects can enhance your company's reputation and brand image, showing a commitment to the broader tech community.
As a Product Owner, it's vital to acknowledge that your codebase likely harbors hidden gems of open-source software, brimming with possibilities and pitfalls. These code snippets come with a dual nature—offering time savings and convenience while carrying potential vulnerabilities. The good news is, by knowing that there are tools to help you address these risks and processes you can put in place to minimise the chances of releasing vulnerable code, your journey to ensuring that your software ships smoothly is plain sailing.