Back to The Future: Why Your Commercial Present Is Vulnerable to The Open Source Past.

The 2018 health data breaches reported by the U.S. Department of Health and Human Services Office for Civil Rights caught my eye 

As of 21st August of 2018, 229 breaches have affected 6.1 million individuals according to the Department of Health and Human Services’ HIPAA Breach Reporting Tool website, AKA “wall of shame.” 

The majority of those breaches relate to the misuse—intentional or otherwise—of end-user technologies, such as mobile devices accessing sensitive or mission critical systems and data.

Back in the day we used desk bound terminals connected to the company’s servers by a cable as thick as your thumb to a neatly labelled port on the wall. But now we live in a time of distributed apps, and people and data operating over highly complex enterprise networks; not to mention the software development environment has never been more open.

The explosion of Open Source Software used to get new products and features to market means that your systems and products are now vulnerable to the “long tail” of Open Source security vulnerabilities. So, unless your developers and suppliers only ever use the least vulnerable version of an Open Source component (trust me, they do not) you can inherit vulnerabilities that go back years, even decades. Often easy to fix. Harder to find.

So, if you don’t track what Open Source has been used and where, you can’t remedy inherited issues or find and fix new vulnerabilities as once secure components become vulnerable. For example, multiple attacks in 2014 exploited the ‘Heartbleed’ software flaw in Open SSL (I can almost hear you rolling your eyes. Yes, Heartbleed again. Bear with me):

  • Community Health Systems—the US’s second largest profit-making hospital chain—confirmed in an 8K filing that 4.5 million patient records were obtained from a database.
  • The JPMorgan Chase data breach compromised data associated with over 83 million accounts in 76 million households and 7 million businesses.

How big a deal is this? Well, Open source web servers like Apache and nginx use OpenSSL:

  • In 2014, 66% of 958 millionactive sites on the Internet use Apache & ngnix (according to Netcraft’s April 2014 Web Server Survey).
  • In 2018 the same survey indicates its now around 60% of 6 Billion active sites.

Furthermore, OpenSSL is used to protect, for example, email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and much of the client side software used in Health systems today. 

One vulnerability. Over a billion potential instances and growing…fast.  “Gulp.”

Four full years after a fix was made available, Flexera still finds Heartbleed vulnerable versions of Open SSL in customer code every single day.

Ask yourself:

  • Could your development team or your suppliers be introducing security issues using poorly managed processes?
  • What would be the risk to your organization’s reputation or business impact if your product ships or you go into production with a security vulnerability?
  • Can you quickly find out if you use anything that’s vulnerable to a specific vulnerability and rapidly respond?

 

Leave a Reply

Your email address will not be published. Required fields are marked *