The recently uncovered security vulnerability CVE-2015-0204 dubbed Factoring RSA Export Keys ( FREAK), has left thousands of websites, OpenSSL as well as Apple and Android products vulnerable for over a decade.
It started way back in the 90s when the NSA wanted to be able to read secured traffic from foreign sources. This prompted the US government to mandate that software companies use a weaker 40-bit “export grade” encryption on software shipped internationally while reserving stronger 128-bit encryption for domestic uses. By the end of that decade the practise was abandoned but it turns out that the weaker encryption code is still in use today.
Researchers from the group State Machine Attacks (SMACK) discovered that many web servers and browsers still support the old export grade encryption. Vulnerable systems can exploited using man-in-the-middle attacks in which hackers force sites into using the easily-cracked encryption code allowing them to steal sensitive information and highjack web page elements. Some of the more prominent websites that are vulnerable to attack include the NSA’s own site along with other government sites such as whitehouse.gov and FBI.gov. Apple’s Safari browser and the default browser included with Android phones are also at risk.
The FREAK vulnerability, which was referred to as a “Zombie from the 90s” by University of Pennsylvania cryptographer Nadia Heninger, is a glaring example of how software development organizations can quickly lose track of what is in their code. With the complexity of software growing every day, it is no wonder that organizations did not realize their products still supported the old export grade code.
To minimize the impact of vulnerabilities like FREAK organizations can implement processes to track all third party and open source code used in their software portfolios. Products that scan, catalogue and identify software components not only help in open source compliance, they can also report on open source security vulnerabilities. A proactive approach to open source management enables organizations to minimize any potential fallout from these vulnerabilities.
Open source software is more than just a trend; it’s a practice among developers that is here for the long haul. Perhaps, as a business leader, you know the basics of open source. You may even be familiar with open source software license management if your IT team has ever looked into adopting new software. The question at hand, therefore, is how can open source code transform your business?
Here are few ways that organizations are leveraging the potential of open source around the world:
- Tuleap Open ALM- This open source technology not only fosters collaboration but it manages the lifecycle of all projects. Large enterprises, small businesses, and open source developers use this project management interface for superior planning maintenance.
- OrangeScrum- Great for small and midsize business due to its clarity and efficiency. This software aids in project management by providing a summary, aggregating information into visual reports, and even indicating to the user areas that could use improvement.
- Spideroak- The cloud can sometimes get a bad rap due to security fumbles. Businesses that use cloud storage, however, can turn to open source security solutions such as Spideroak to ease the worry. This is a “zero knowledge” software meaning files stored in the cloud are protected by a mega encryption key.
- KeePass- This password safe software might sound simpler than the security software above. However password security is crucial to business protection- it’s easier than you think to fall victim to hackers due to poor password protection. KeePass is a digital, encrypted safe for password storage.
Your competition is enjoying the immense benefits provided by open source planning and security advancements. Don’t let another minute pass you by, learn even more about open source adoption here.
An open source project is getting significant investment from a major American corporation.
Believe it or not Walmart, the mega retailer, has spent more than $2 million on the Hapi project, which is a “rich framework for building applications and services” that “enables developers to focus on writing reusable application logic instead of spending time building infrastructure” according to its website.
In a blog post, Senior Developer at Walmart Labs Eran Hammer explained the company’s decision to pursue open source. Every decision the company makes is done after performing a cost-benefit analysis, and it appears as though the mega retailer expects to see a return on its investment.
Here’s how: Because Hapi is open source, any company is free to use the code, primarily developed by Walmart’s programmers, for its specific purposes. As other companies use the code, their developers are likely to customize the code further to better suit their specific needs. Because those developers strive to improve the code when they go about changing it, they are likely to request that their additions be included in the project trunk.
In other words, Walmart is developing Hapi in hopes that external companies will adopt the framework. In turn, those companies will improve the code even more, and Walmart will benefit as a result.
“For example, every five startups using Hapi translated to the value of one full-time developer, while every 10 large companies translated to one full-time senior developer,” Hammer writes.
Essentially, by investing in Hapi, Walmart aims to benefit from high-quality improvements in code while not having to spend money associated with recruiting, hiring and training new internal staff. By paying a few coders to work on Hapi, the company is essentially getting the work of three individuals instead, for example.
Many businesses are attracted to open source technology because of its generally non-existent price tag. But businesses that see beyond that benefit are sure to see a better return on their investments, as Walmart has demonstrated.
There is something to be said for products that are born out of collaboration between developers. Take the newly introduced Origibot, for example, which when paired with users’ Android tablets incorporates the open source WebRTC software for minimalistic, real-time functionality. As Origibot shows, open source coding opens the door to the futuristic innovations only yet conceived of in eager programmers’ minds.
Why, then, would any developer choose to shy away from open source software? From the developer’s stand point, he or she could be satisfied with the product and see no need for further innovation from outside minds. After all, there is much to consider in terms of open source license compliance. Handing off your original concept to the public for modification can be reason enough for skepticism. But, with that said let’s look further into why software developers may want to expand their horizons and unlock the door to open sourcing.
Take Advantage of the Community: The open source community is an outstanding model of thriving collaboration. Organizations such as OSI (Open Source Initiative), for example, provide a home for developers and other interested members of the public. They offer a similar function as a town hall for the open source society. Here, developers can meet, ideate and raise awareness for the cause of open source coding. Complete with a board of directors, this non-profit organization is on a steady path towards further development.
It’s More than a Trend: Those who remain unconvinced of the beneficial possibilities presented by open sourcing should take into consideration its increasing popularity. Plenty of big name technology enterprises are choosing to open source their latest software, with the realization that this new method of code sharing is the way of the future. Take HP for instance, they’ve recently gone open source for their newest predictive analytics software.
Here are a few things to consider when making your project open source.
Facebook is among the most recognizable and advanced social media enterprises today. A major part of its success story is its professed love for open source software, which the company uses as means of augmenting innovation across multiple projects. In fact, open source is a key resource among Facebook’s web developers due to its flexibility in providing immediate security patches and collaboration across platforms.
Facebook’s open source projects integrate a slew of purposes from security to big data management.
Let’s dive into a few:
Osquery: The social platform uses this source code to combat software hacks. Check out this recent post from Wired that discusses how large operations like Facebook require more than just run-of-the-mill security software. For this reason, Facebook implements open source code innovations of its own in order to leverage appropriate security solutions. The organization also aims to help others improve the security of their software as well by open sourcing Osquery.
Conceal: This project will help developers create more secure apps for the Android phone. While encryption provides a solution to the secrecy of data, Conceal aims to implement security even further by using the algorithm HMAC, explained Subodh Iyengar a software engineer at Facebook. This open source code will boost caching and storage for mobile apps.
Presto: This open source technology is meant to augment big data analytics. It’s been adopted by other Internet name brands, such as Netflix and Dropbox, further indicating Facebook’s dedication to the development of companies besides their own. Presto provides speed and scale over an SQL query engine which matches the data sorting needs required by large organizations. This tool will help manage the wealth of data that is received by such large scale corporations in order to analyze their respective user interactions.
Facebook’s innovations have provided solutions for not only themselves, but an abundance of other organizations. To that end, their open source software is available for public use; however, always refer back to these important tips.
With many organizations incorporating open source code into their software, business managers should have a basic understanding of what open source is all about. After all, Gartner and Accenture report open source adoption rates nearing 100% so it’s likely that your development team is already incorporating open source code into their projects.
So, what is open source? When a developer chooses to make his or her project open source, it gives third party developers the right to tinker and innovate with it. Check out this comprehensive video for an in depth explanation.
Developers incorporate open source into their projects to accelerate development time, thus reducing costs for the organization overall. Most of the time, the code is open to the public; but it is imperative that collaborators refer to a set of chief regulations and terms involved in open source software license management and dispersal.
Here is a brief rundown of some basic terminology:
- The License: As aforementioned, open source code is free for the public to use and change however seen fit, but it must adhere to the original set of rules, or license, of which it was initially founded. In other words, the license of the original code sets the ground rules for future changes.
- Branch v. Fork: Anyone may add his or her own features to the original code and in doing so, request the maintainer (the original code creator) to integrate said changes. The maintainer can either accept or deny these changes resulting in a branch or a fork.
- Upstreaming: If the maintainer consents to the branch, the creator of the change (or the patch) is then dubbed a contributor. In this scenario, the maintainer is then responsible for updating the original code with the patch. Upstreaming is important in open source coding because it allows the community to test the new code in a multitude of configurations.
- Collaboration: This term is not necessarily part of open source code jargon; it is more a central aspect in development. By adhering to terms delegated in the license, members of the community can then patch the code or create a fork. Either way, it is up to the maintainer to decide when to upstream or let a developer stray away from the code’s origin.
There you have it, open source boiled down. Still unsure of how this applies to your business? Take some time to learn more about open source software license management.
In the past, Microsoft’s Internet Explorer was the go-to Web browser for Internet users. But end-user confidence in Internet Explorer appears to be waning.
Last summer, Google Chrome passed Internet Explorer in combined U.S. desktop and mobile Internet market share for the first time. Chrome now holds 31.8 percent of total market share compared to Internet Explorer’s 30.9 percent share. Furthermore, Chrome has been growing at a rate of 6 percent year over year from 2008, while Explorer has been decreasing at a rate of 6 percent during the same time frame.
Mozilla’s Firefox and Apple’s Safari are two other major Web browsers that are now vying for attention in the competitive Internet marketplace that used to be dominated solely by Microsoft’s Explorer. Mozilla currently commands about 12.5 percent of market share, while Safari holds 10.3 percent.
What’s caused Internet Explorer’s dominant reign to end? It could be attributed to a lack of innovation by third-party developers. Internet Explorer remains the only major Web browser on the market that is closed source end-to-end. As a result, third-party developers are unable to alter it to ensure consistency over different platforms, enhance security and experiment with innovative new features. Chrome, Firefox and Safari all give developers the ability to experiment with new software patches that have the ability to be released as official product updates.
Microsoft is therefore at a crossroads; the company can either continue to keep its Internet Explorer source code private, or it can consider embracing the idea of open source to remain competitive.
Which path will Microsoft head down? It remains to be seen. The company, however, is currently using open source code in other projects. Last year, for instance, Microsoft allowed the use of open source coding in its .NET framework. Microsoft also made headlines recently for making its cutting-edge WorldWide telescope project open source for astronomers. If these projects do well, they could pave the way for a possible open source migration for the beleaguered Internet Explorer browser.
You’ve found an amazing open source project that you think will enhance your proprietary software. But before you and your team of developers can get to work incorporating someone else’s code into your own product, there are some basic steps that you need to take.
Make sure to look into these preliminary factors:
- Licensing: First, you need to make sure that you have permission to innovate using someone else’s source code. Just because a software code is open source does not necessarily mean it’s meant for profit. Some code is made to be open source primarily for educational purposes or for security reasons. You could be in danger of committing copyright infringement if you don’t play within the rules. Consider, for instance, Free Software Foundation (FSF), Inc. vs. Cisco Systems, Inc., where Cisco was accused of selling products under its Linksys brand name that contained copyrighted software code from FSF. Ultimately an agreement was reached that settled the case, but the problem could have been avoided had Cisco performed its due diligence before using the company’s software without permission.
- Security: Another critical aspect to pay attention to is security. There’s no guarantee that the open source code you choose to combine with your software will be bug-free. Adding someone else’s code to your software could expose your company to additional and unforeseen security risks. Make sure you innovate using the latest software code, and thoroughly vet it for vulnerabilities that could ultimately compromise your own product.
Luckily these concerns can be mitigated by implementing a process for managing the adoption of open source software. At its most basic level an open source adoption process consists of three steps:
- The first step is establishing an open source policy that dictates which open source licenses are acceptable and how open source can be used within the organization.
- The next step implementing a workflow for pre-approving open source packages before they are brought into the development environment. At this stage developers can submit an open source package for approval. If the package does not violate the open source policy, or have any known security vulnerabilities associated with it, then developers are free to incorporate it into their projects.
- Finally, code should be audited regularly to monitor potential violations of the open source policy, as well as any security vulnerabilities.
Taking a proactive approach to open source management enables organizations to realize the benefits of open source software, while avoiding any last minute licensing or security issues that could halt a product release.
There’s no getting around it: 2014 was a tough year for open source software as two major vulnerabilities—Heartbleed and Shellshock bugs—received major mainstream media attention.
In case you’re unfamiliar with the Heartbleed incident, here’s what happened: A developer submitted a patch, or new software version, to a code reviewer at OpenSSL; it was an updated version of OpenSSL’s ubiquitous encryption software. The code, however, contained a critical security error that went unnoticed by the reviewer. The new software was officially released, and the problem was not discovered until March 2014 (about two years later). Ultimately, the error affected mostly everyone who used the Internet during that time period, as about 17 percent of the world’s secure websites, or half a million in total, were considered to be vulnerable at the time when Heartbleed was discovered.
Negative attention from the Heartbleed bug was compounded by the discovery of the equally infamous Shellshock bug, which had existed in the open source Bash software since 1989.
“Two brutal black eyes in such a short span made 2014 a very bad year for open source security,” explains InfoWorld Editor-in-Chief Eric Knorr in a recent article. “Yet at the same time, open source emerged in 2014 more clearly than ever as the engine of innovation for software. Could the need for software security be any greater?”
To answer Knorr’s question, it could not. According to Kaspersky Labs, for instance, the protection of confidential data against leakages is now the top priority for most of the companies polled in its 2014 Security Risks Survey.
Proof of positive public opinion toward open source software can be seen in the response to the security incident at OpenSSL. Following the discovery of the bug, Linux Foundation executive director Jim Zemlin formed the Core Infrastructure Initiative—which employs the likes of Amazon Web Services, Cisco, Dell, Facebook, Google and more—to continuously perform security audits for OpenSSL. Each company will contribute $100,000 for the next three years and will continue to monitor the open source software, searching for vulnerabilities so that this type of problem does not happen again.
As these companies prove by their steadfast commitment to open source, and despite the recently discovered Linux Ghost vulnerability, faith is still strong amongst leading U.S. technology companies that open source software is the best solution for keeping software safe.
A ghost has been discovered hiding in the Linux GNU C Library (glibc).
Software vulnerability CVE-2015-0235, nicknamed “Ghost,” allows third-party hackers to remotely hijack Linux systems while bypassing basic security credentials like system identification numbers and passwords.
How is Ghost deployed? As ZDNet Editor Stephen J. Vaughn-Nichols explains, all a hacker has to do is target the glibc’s gethostbyname functions, which are used on just about every networked Linux computer. An attack can be performed by targeting an application that uses a Domain Name System (DNS) with an invalid hostname. This in turn creates a buffer overflow, which could give a hacker the necessary foothold for worming deeper into the software and potentially commandeering the computer.
The Ghost vulnerability primarily affects older Linux versions, although not all new ones are impervious to exploitation. It is a high-risk system bug that poses a legitimate risk to end users. Linux users operating glbic-2.2-based systems are now being urged to perform immediate system patches.
Being that Linux is one of the most widely used examples of open source software on the market today, this new flaw will naturally draw criticism to open source software from skeptics who believe that it is inherently susceptible to attack. The same problem happened last year following the infamous Heartbleed bug in OpenSSL.
It’s important to realize, however, that the Ghost vulnerability—as with Heartbleed—could just as easily have occurred in a company that uses proprietary software. In fact, one could argue that by using open source software, developers can discover the security weaknesses faster and devise patches quicker and more efficiently than they could with closed code.
If your organization leverages open source code, there are solutions available that will allow you to perform rapid security vulnerability checks so that you can identify known vulnerabilities and resolve them before they become a problem.