2023年7月9日发(作者：)

开源软件安全风险_3开源安全风险及其解决⽅法开源软件 安全风险Open source software is very popular and makes up a significant portion of business applications. According to , 99% ofcommercial databases contain at least one open source component, and nearly 75% of these codebases contain opensource security vulnerabilities.开源软件⾮常流⾏，并且构成业务应⽤程序的重要组成部分。 据 ，99％的商业数据库⾄少包含⼀个开源组件，⽽这些代码库中有将近75％包含开源安全漏洞。One of the major reasons why companies and developers choose to work with open source software is that it saves themfrom having to develop these base capabilities themselves.公司和开发⼈员选择使⽤开源软件的主要原因之⼀是，它使他们不必⾃⼰开发这些基本功能。Oh, and open source software is free!哦，开源软件是免费的！Despite its advantages, open source software tends to have vulnerabilities that might impact your data and organization. Inorder to give you an overview of how open source security risks can impact your business, we have listed the top threeopen source security risks and ways to address them.尽管开放源代码软件有其优点，但它往往具有可能影响您的数据和组织的漏洞。 为了概述开放源代码安全风险如何影响您的业务，我们列出了排名前三的开放源代码安全风险及其解决⽅法。Before we dive into the article, let’s take a look at what exactly open source vulnerabilities are.在深⼊研究本⽂之前，让我们看⼀下究竟什么是开源漏洞。什么是开源漏洞？ (What Are Open Source Vulnerabilities?)Open source vulnerabilities are basically security risks in open source software. These are weak or vulnerable code thatallows attackers to conduct malicious attacks or perform unintended actions that are not authorized.开源漏洞基本上是开源软件中的安全风险。 这些是脆弱或易受攻击的代码，它们使攻击者能够进⾏恶意攻击或执⾏未经授权的意外动作。In some cases, open source vulnerabilities can lead to cyberattacks like denial of service (DoS). It can also cause majorbreaches during which an attacker might get unauthorized access to sensitive information of an organization.在某些情况下，开源漏洞可能导致诸如拒绝服务(DoS)之类的⽹络攻击。 它还可能导致重⼤破坏，在此期间，攻击者可能会未经授权访问组织的敏感信息。There are a lot of security concerns when it comes to open source software. For instance, OpenSSL is an encryption libraryresponsible for managing highly sensitive data transmission functions by a wide variety of internet-connected softwareincluding the software that runs some of the most popular email, messaging, and web services.涉及开源软件时，存在很多安全问题。 例如，OpenSSL是⼀个加密库，负责通过各种与Internet连接的软件来管理⾼度敏感的数据传输功能，这些软件包括运⾏某些最受欢迎的电⼦邮件，消息传递和Web服务的软件。You remember “Heartbleed”? Yes, that caused quite a stir! Yes, that was a critical open source vulnerability in a SSHlibrary.您还记得“ Heartbleed”吗？ 是的，这引起了很⼤的轰动！ 是的，这是SSH库中的⼀个严重的开源漏洞。Similarly, another popular open source vulnerability was found in 2014 in Bash shell, the default command processor onmany Linux distributions. It had an arbitrary command execution vulnerability that could be exploited remotely via server-side CGI scripts on web servers, and other mechanisms. This open source vulnerability is popularly known as“Shellshock.”同样，2014年在Bash shell中发现了另⼀个流⾏的开源漏洞，Bash shell是许多Linux发⾏版中的默认命令处理器。 它具有任意命令执⾏漏洞，可以通过Web服务器上的服务器端CGI脚本和其他机制来远程利⽤该漏洞。 这个开源漏洞通常被称为“ Shellshock”。前三⼤开源安全风险是什么？ (What are the Top 3 Open Source Security Risks?)Now that you have a fair idea about what open source security risks are, let’s explore the top three open source securityrisks that exist today and how you can mitigate these risks.现在，您对什么是开源安全风险有了⼀个清晰的认识，让我们探索当今存在的三⼤开源安全风险以及如何减轻这些风险。软件安全风险 (Software Security Risks)Open source vulnerabilities, once discovered, can be a tempting target for attackers to exploit them.开源漏洞⼀旦被发现，可能成为攻击者利⽤它们的诱⼈⽬标。Typically, these open source vulnerabilities and the details about how to carry out the exploit are made publicly enables hackers to gain all the necessary information they need to carry out an attack. Combine this with thewidespread use of open source software, and you can imagine the havoc it creates when an open source vulnerability isfound.通常，这些开源漏洞以及有关如何利⽤此漏洞的详细信息是公开提供的。 这使⿊客能够获取进⾏攻击所需的所有必要信息。 将其与开源软件的⼴泛使⽤相结合，您可以想象发现开源漏洞时会造成的破坏。One of the major challenges organizations face while addressing open source vulnerabilities is that tracking them and theirfixes aren’t as easy as one might assume.组织在解决开源漏洞时⾯临的主要挑战之⼀是，跟踪它们及其修复程序并不像想象的那么容易。Since these open source vulnerabilities are published across a wide variety of platforms, it becomes difficult to track , locating the updated version, patch, or fix to address the security risk is a time-consuming and expensive process.由于这些开源漏洞是在各种各样的平台上发布的，因此很难跟踪它们。 另外，查找更新的版本，补丁或修补程序以解决安全风险是耗时且昂贵的过程。Once an open source vulnerability and its path of exploitation are published, it’s just a matter of time until attackers exploitthem and hack into your organization. It is imperative that businesses integrate necessary tools and processes to quicklyaddress open source vulnerabilities.⼀旦发布了开源漏洞及其利⽤途径，攻击者利⽤它们并⼊侵您的组织只是时间问题。 企业必须集成必要的⼯具和流程以快速解决开源漏洞。漏洞宣传 (Publicity of Exploits)Open source vulnerabilities are made publicly available on platforms like the , which is accessible by anyone.开源漏洞在诸如类的平台上公开可⽤，任何⼈都可以访问。A famous example of attacks due to publicly available open source vulnerabilities was the major in 2017 where the creditreporting company had leaked personal information of 143 million people. This attack took place because Equifax was usinga version of the open source Apache Struts framework that had high-risk vulnerabilities, and attackers used thatvulnerability to their advantage.由公开可⽤的开放源代码漏洞引起的攻击的⼀个著名⽰例是2017年的重⼤ ，其中信⽤报告公司泄露了1.43亿⼈的个⼈信息。 发⽣此攻击的原因是Equifax使⽤了具有⾼风险漏洞的开源Apache Struts框架版本，攻击者利⽤该漏洞来发挥⾃⼰的优势。Such attacks on open source software not only cause data leakage or loss but also impact a company’s market reputation,valuation, and customer relationships. This, in turn, can impact your customer churn rate, retention rate, sales, and g with the impact of a breach caused due to open source vulnerabilities can be a lengthy, and painful process.对开源软件的此类攻击不仅会导致数据泄漏或丢失，⽽且还会影响公司的市场声誉，估值和客户关系。 反过来，这可能会影响客户流失率，保留率，销售和收⼊。 处理由于开放源代码漏洞⽽造成的违规影响可能是⼀个漫长⽽痛苦的过程。许可合规风险 (Licensing Compliance Risks)Open source software comes with a license that allows the source code to be used, modified, or shared under definedguidelines. However, the problem with these licenses is that most of them don’t meet the stringent OSI and SPDXdefinitions of open source.开源软件随附许可证，该许可证允许在已定义的准则下使⽤，修改或共享源代码。 但是，这些许可证的问题在于，⼤多数许可证都不符合开源的严格OSI和SPDX定义。In addition to that, single proprietary applications often include several open source components, and these projects arereleased under various license types, such as GPL, Apache License, or MIT License.除此之外，单个专有应⽤程序通常包括⼏个开源组件，并且这些项⽬以各种许可证类型发布，例如GPL，Apache许可证或MIT许可证。Organizations are required to comply with each individual open source license, which can be quite overwhelming. Especiallywith the rapid development and release cycle businesses follow along with the fact that there are nearly 200+ open sourcelicense types that exist today.组织被要求遵守每个单独的开源许可证，这可能会让⼈不知所措。 尤其是随着快速的开发和发布周期，企业随之⽽来的事实是，当今存在近200多种开放源代码许可证类型。A of 1,253 applications found that about 67% of codebases had license conflicts and 33% of codebases had unlicensedsoftware. Non-compliance with licenses can put enterprises at the risk of legal action, impacting your operations, andfinancial security.对1,253个应⽤程序的发现，⼤约67％的代码库具有许可证冲突，⽽33％的代码库具有未经许可的软件。 不遵守许可证可能会使企业⾯临法律诉讼的风险，从⽽影响您的运营和财务安全。您如何克服这些开源安全风险？ (How Can You Beat These Open Source SecurityRisks?)Next, let’s take a closer look at the solutions to these open source security risks.接下来，让我们仔细研究这些开源安全风险的解决⽅案。建⽴安全第⼀⽂化 (Build a Security-First Culture)Too often, developers choose to work with open source components based on the functionality and programming languagethey need. While functionality is important, other criteria should also be included.开发⼈员经常根据他们需要的功能和编程语⾔选择使⽤开源组件。 虽然功能很重要，但还应包括其他条件。For instance, each individual component of a project may offer functionality, without the need to integrate the entire projectcodebase. This helps limit the number of open source software and helps simplify integration, remove security risks, andreduce source code complexity as well in non-required components.例如，项⽬的每个单独组件都可以提供功能，⽽⽆需集成整个项⽬代码库。 这有助于限制开源软件的数量，并有助于简化集成，消除安全风险并降低源代码的复杂性以及不需要的组件。Open source software is just as likely to have security risks as any other software, so it’s necessary that each componentyou choose to work with offers functionality and is secure.开源软件与其他任何软件⼀样，都具有安全风险，因此，您选择使⽤的每个组件都必须具有⼀定的功能并且安全。In addition to this, open source projects are usually focused on delivering new updates with new features for end users. Dueto time and budget constraints, enterprises pay less attention to security and are more inclined to release the update asquickly as possible.除此之外，开源项⽬通常专注于为最终⽤户提供具有新功能的新更新。 由于时间和预算的限制，企业很少关注安全性，⽽更倾向于尽快发布更新。However, companies should maintain a balance between the new releases while ensuring that the design, implementation,and code is secure.但是，公司应在新版本之间保持平衡，同时确保设计，实施和代码的安全。One of the most important things you can do is to inventory what open source software you use and track vulnerabilitiesthat are associated with these libraries.您可以做的最重要的事情之⼀是盘点您使⽤的开源软件，并跟踪与这些库相关的漏洞。拥抱⾃动化和扫描开源软件中的漏洞 (Embrace Automation and Scanning forVulnerabilities in Open Source Software)Finding and fixing vulnerabilities in open source software is a big challenge in itself. Companies need to find a way to detectall security vulnerabilities in the open source code in their environments, update the list regularly, drive developers awayfrom old, insecure software components, and finally deploy patches whenever security vulnerabilities are found.在开源软件中查找和修复漏洞本⾝就是⼀个巨⼤的挑战。 公司需要找到⼀种⽅法来检测其环境中开源代码中的所有安全漏洞，定期更新列表，使开发⼈员远离旧的，不安全的软件组件，并在发现安全漏洞时最终部署补丁。One way to help combat this is to incorporate automated tools that help you continuously track your open source usageand identify security weaknesses, vulnerabilities, fixes, and updates.解决此问题的⼀种⽅法是合并⾃动化⼯具，这些⼯具可以帮助您持续跟踪开源使⽤情况并确定安全漏洞，漏洞，修复和更新。Automation tools for open source software help identify which packages are being used in which projects, what securityvulnerabilities they contain, and how they can be fixed. These tools often come with alerting features as well. If avulnerability is discovered, notifications are sent to the concerned development and security team to alert them about thenewly found security risks.开源软件的⾃动化⼯具可帮助识别哪些包在哪些项⽬中使⽤，它们包含哪些安全漏洞以及如何修复它们。 这些⼯具通常还具有警报功能。如果发现漏洞，则会将通知发送到相关的开发和安全团队，以警告他们有关新发现的安全风险。Integrating automation to scan security vulnerabilities in open source software is especially important for largeorganizations, since it can be difficult to track and identify vulnerabilities in all of their source code that is in use.在⼤型组织中，集成⾃动化以扫描开源软件中的安全漏洞尤为重要，因为要跟踪和识别所有正在使⽤的源代码中的漏洞可能⾮常困难。Most enterprises are not even aware of their full inventory of applications they have, which makes them more vulnerable tocyberattacks due to unidentified vulnerabilities in the source code. A report says nearly have open source components withno development activity at all in the last two years.⼤多数企业甚⾄不知道⾃⼰拥有的应⽤程序的完整清单，由于源代码中未识别的漏洞，这使它们更容易受到⽹络攻击。 ⼀份报告说，近具有开源组件，在过去两年中完全没有开发活动。交叉训练您的员⼯ (Cross-Train Your Staff)It’s not always easy or even possible to hire professionals who are experts in both development and security. It is,however, possible to train your teams so that they can approach the issues from both ends. While it isn’t always easy tohold regular cybersecurity awareness training for different teams, it’s critical for the overall security of your projects.聘请在开发和安全⽅⾯都是专家的专业⼈员并⾮总是容易的，甚⾄不可能。 但是，可以对您的团队进⾏培训，以便他们可以从两端解决问题。 为不同的团队定期进⾏⽹络安全意识培训并不总是那么容易，但这对项⽬的整体安全⾄关重要。Enterprises should ensure that their developers have a general understanding of cybersecurity, as well as the latest trendsand updates. Your developers should be able to identify common security issues that arise in open source code, if not fixthem.企业应确保其开发⼈员对⽹络安全以及最新趋势和更新有⼀般的了解。 您的开发⼈员应该能够识别出开放源代码中出现的常见安全问题，如果不能解决的话。Similarly, the security team should be involved in the development process from the early stages. Rather than makingsecurity an after-thought, it should be a priority from the very beginning of a project.同样，安全团队应从早期阶段就参与开发过程。 从⼀开始就应该将安全放在⾸位，⽽不是将安全放在⾸位。Just as you analyze and track your development process, you should proactively monitor your security efforts as a proactive approach can go a long way in being prepared to handle open source security risks.正如您分析和跟踪开发过程⼀样，您也应该主动监视安全性⼯作。 采取积极措施可以为应对开源安全风险做好准备。最后的想法 (Final Thoughts)Open source is an excellent model that can be found in many of today’s projects. However, to ensure secure open sourcecode, you need to acknowledge the security risks that come with open source software. You have to make sure that each ofyour open source components is delivering value to the project and are secure.开源是⼀个很好的模型，可以在当今的许多项⽬中找到。 但是，为了确保安全的开源代码，您需要确认开源软件附带的安全风险。 您必须确保每个开源组件都在为项⽬交付价值并且是安全的。Cypress Data Defense helps companies run security audits and strengthen the overall security of their projects byrecommending the best security practices.赛普拉斯数据防御(Cypress Data Defense)通过推荐最佳安全实践，帮助公司进⾏安全审核并增强项⽬的整体安全性。We help enterprises create a roadmap for releasing secure updates and provide open source support, scanning, monitoring,and provide solutions to safely and effectively leverage open source software. With Cypress Data Defense, organizationscan gain necessary control over their open source components to mitigate open source security risks while increasing theircost savings.我们帮助企业创建发布安全更新的路线图，并提供开源⽀持，扫描，监视，并提供解决⽅案以安全有效地利⽤开源软件。

借助赛普拉斯数据防御，企业可以对其开源组件进⾏必要的控制，以减轻开源安全风险，同时增加成本节省。关于作者： (About Author:)Steve Kosten is a Principal Security Consultant at and an instructor for the SANS DEV541 Secure Coding in Java/JEE:Developing Defensible Applications Kosten是的⾸席安全顾问，并且是Java / JEE：开发防御性应⽤程序课程中SANS DEV541安全编码的讲师。开源软件 安全风险