More is the word of the day: more software with more flaws that can be exploited by more attackers. In March and April, multiple events left cybersecurity teams scrambling to address real and potential attacks:
- March 6, 2017 — The Apache Foundation announces a previously undiscovered flaw in one of the most commonly used web application frameworks, Struts 2. The vulnerability dates to 2012. Two weeks later, several variations of the new attack vector are announced.
- April 06, 2017 — the first public reporting of a Struts 2 attack when malicious hackers use the new exploit to deliver ransomware targeting Windows servers.
- April 18, 2017 — Oracle announces the largest quarterly Critical Patch Update in the company’s history: 299 patches cover a variety of vulnerabilities including some known for years.
- April 27, 2017 — Verizon’s 10th Annual Breach Report states healthcare is the second most attacked sector and successful ransomware attacks doubled in 2016.
The common threads across each of these events: flawed third-party software code and the widespread use of vulnerable code.
The Code’s The Thing
Think of an iceberg; the smallest risk is the part you see above water. The same is true of modern software, particularly web applications. The code you write is somewhere between 10 and 20 percent of the total software stack. The remaining 80 to 90 percent of the stack is generally third-party code from a library or downloaded from a central repository. It may also include software provided with the platform or server. You have little to no visibility into this code and even less ability to remediate or protect against flaws — known or unknown — using traditional security tools.
One major testing vendor, Black Duck, published a report in April 2017 reinforcing just how pervasive the use of open source code has become in modern software architecture. Consider 96 percent of the more than 1,000 commercial applications scanned contained open source components. The average number of unique third-party components: 147.
The same report found 67 percent of applications had known open source code vulnerabilities, with an average of 27 known flaws per application. Slightly more than half of those flaws — 52 percent — had a “High Severity” CVSS score.
The Many Ways Open Source Flaws Can Impact You
Statistics about open source use are important, but nothing brings home the point like reality. When the April 2017 Oracle Critical Patch Update was released, it immediately became the poster child for the security risks associated with the use of open source software components. Not only were individual organizations having to fix their own code based on third party software, so was the world’s second largest software maker.
The CPU included belated remediation for more than one dozen high-profile vulnerabilities which, in some cases, date back as far as five years. Included in these late fixes were the “celebrity superstar” vulnerabilities Apache Struts v1 and v2, as well as Apache Commons, some of the most widely used open source components.
It’s too early to know if the late April ransomware attack on Greenway Health was the result of a third-party software flaw, but open source vulnerabilities have been tied to ransomware attacks via Microsoft products including targeted attacks against hospitals in multiple states. Like Oracle, Microsoft has since issued patches to address the specific vulnerabilities.
This certainly begs the question: if the most sophisticated software companies on the planet cannot prevent flawed third-party code from impacting their signature products, how can an IT team at a regional or local healthcare company do so?
A Two Front War
Security and Development teams are currently fighting a two-front war against non-stop attacks from hackers and, more recently, the tidal wave of software flaws being embedded in software stacks from third party components. The simplistic, popular answer to this issue is to “just write better code.” That belies reality.
The sheer number of software vulnerabilities and the ubiquitous nature of software flaws mean the protective measures we’ve relied on for decades are now unable to provide the level of protection required. A two-year OWASP study reported leading testing vendors found 2.3 million known vulnerabilities in applications across nearly 55,000 applications. Finding vulnerabilities is not the problem, fixing them is.
Billions of lines of new code are being written each year and as many as 50 billion new networked industrial devices — including medical devices — are expected in the next three years. It’s time for cybersecurity experts, medical professionals, and business leaders to sit down to figure out how to rapidly transition to the newer technologies that automate security, are highly accurate, and don’t create the side effects such as false positives the current set of solutions do. When that happens, ransomware and other attacks will be stopped long before they can cause harm.
About The Author
John Matthew Holt is the Founder and CTO of runtime application security firm Waratek. He holds more than 60 patents related to virtualization and runtime protection.
This article was published in Health IT Outcomes