Open source is ubiquitous - more than 90 percent of the software written these days integrates open source code. Such code is used in IoT firmware, operating systems, network platforms and applications. This trend will only continue to grow because, by leveraging open source, developers can lower assembly costs and quickly add innovations, thereby saving months or years of originally required development time. Because of its transparency, open source code also tends be better engineered than a comparable piece of proprietary code. And thanks to its superior quality and flexibility, open source code is used more widely than its "closed code" counterpart. This means that a security vulnerability in a piece of open-source code is likely to be found across a multitude of applications and platforms. Consequently, open source vulnerabilities become an easy and efficient target for hackers.
Most of the custom software in today’s enterprise is sourced externally or contains code from third-party vendors that is built using open source code components. By sourcing third-party code instead of developing software on their own, enterprises lower their overall development costs and quickly add innovative capabilities to remain competitive. Interestingly, this code is almost always delivered in binary format. Though this delivery protects the third-party development teams’ intellectual property, it makes it almost impossible to accurately account for all of the open source components that reside in the all of the binaries provided. This problem is compounded when an enterprise platform is updated by different software vendors, over extended periods of time, and integrated with off-the-shelf applications.
Despite its already staggering adoption rate, more open source code is being developed and shared than ever before. The Linux Foundation estimates that more than 31 billion lines of code have been committed to open source repositories. But accompanying this increase in the number of developed and shared lines of code is the increase in the number of reported vulnerabilities.
The general public saw a large-scale example of this problem in the 2017 Equifax security breach. Hackers exploited a vulnerability in the Apache Struts component, using it to expose the private information of over 148 million users. Despite having more than two months to execute preventative measures, Equifax failed to address the issue. The data breach was a vivid reminder that OSS-related security vulnerabilities are a common target for hackers to attack and also demonstrated the difficulty enterprises face in monitoring and mitigating these types of risk.
Insignary Clarity enables proactive scanning of embedded firmware or binaries for known, preventative security vulnerabilities, and also identifies potential license compliance issues. Leveraging unique fingerprinting technology, which works on the binary without the source code or reverse engineering, Clarity can help companies take proper, preventative action.