Better open source hygiene would have spooked GHOST

Software security should be pre-emptive instead of reactive

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

If you're scrambling this week to install patches after the discovery of the GHOST vulnerability affecting Linux systems, you're not alone. The fact that we've been down this road before doesn't make it any less frustrating. It wasn't that long ago that the news broke about Shellshock. And not long before that, Heartbleed.

Being in reactive mode because of serious emerging software security threats might seem like the new normal but you don't have to accept that. You can do more than just react. What if your organization could make software security pre-emptive, heading off many vulnerabilities before any damage is done?

By focusing on what I like to call "open source hygiene," you can do just that more on this shortly. But first, let's examine why GHOST is making software security experts so nervous.

GHOST in the Linux machine

The GHOST vulnerability in the Linux GNU C Library (glibc 2.2) is a gaping one. Version 2.2 is native to a range of standard Linux distributions, especially ones built on Debian Wheezy, but also on Red Hat platform versions. This system population includes a wide variety of embedded systems along with servers and desktops.

The affected API, "gethostbyname()," is an integral part of the POSIX standard, which is the definition of UNIX-type systems, including Linux. This API is part of the core functionality of Linux. The glibc library is the primary library used by all types of programs running on Linux to interact with the kernel and to perform core input/output operations. Put another way, everything runs through glibc it's like Grand Central Station.

Perhaps most worrisome is the fact that the exploit can be triggered remotely through benign actions such as processing email. And unlike bash, which was central to the Shellshock threat, glibc is a reasonably well-curated library. So the issue with GHOST is not that there haven't been enough eyes on the code. In fact, it's constantly being updated and tested. Rather, the issue is that not all of those eyes are sufficiently security-savvy.

Taking charge of open source security

Even with many eyes on the code, software vulnerabilities like GHOST and its predecessors are inevitable. IT organizations are stretched thin, trying to do more with less and deliver innovative applications faster than ever. Choosing open source components as part of the development process helps them achieve these goals. What's more, participating in and contributing to open source communities is a critical part of how forward-thinking IT organizations innovate.

So how can software development organizations balance open source software security concerns with the drive to keep innovating at an ever-faster pace?

The answer lies in open source hygiene. By implementing automated solutions for managing open source code throughout the development process and across the supply chain, organizations gain a critical advantage in heading off security threats. This means code is automatically vetted against vulnerability databases such as the OSVDB and NVDB, assuring that only the most up-to-date versions of those components are chosen.

In the case of GHOST, this approach would have yielded one of several outcomes:

-       Earlier flagging of glibc version 2.2 or earlier, with a call to upgrade development and deployed versions to version 2.3.

-       Current flagging of the library, based on OSVDB/NVDB bulletins, to check for deprecated versions to and confirm that the correct patches had been applied to version 2.3.

In other words, you won't have to waste time searching for open source components in your code base you'll know exactly where they are and how they're being used. This gives you an actionable roadmap to quick remediation.

With open source hygiene, your organization can sort through and deal with the ongoing security threats, because unsafe open source code is highlighted, and remediation paths identified, at the beginning of the development process rather than when the process is already underway.

The smartest software development organizations today are integrating open source hygiene into their software development lifecycle so security is no longer about remediation, but about being pre-emptive and proactive. With this approach, the software lifecycle becomes much more manageable.

Join the CSO newsletter!

Error: Please check your email address.

Tags gnuShellsecuritysoftwareoperating systemsdebian

More about DebianLinuxRed Hat

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Bill Weinberg, Senior Director, Open Source Strategy, Black Duck Software

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts