By Chris David
All software and web developers use open source components. Reusable components make our lives so much easier after all. We can develop faster, cheaper and more securely. Using open source components allows us to meet demanding budgets and deadlines. However, one of the most common website problems is using components with known vulnerabilities.
Through 2020, using website components with known vulnerabilities was the top cause of security breaches. Almost 25 percent of known security breaches resulted from components with known vulnerabilities. And of these components, 99% were known to be vulnerable for a least a year!
But first, what is a reusable component, and how can it lead to website vulnerabilities?
The magic of reusable components
Modern-day programmers have life so easy. Just open your development program of choice, and you have a world of pre-built controls, popups, buttons, graphics and widgets at your disposal. Simply connect to a package repository, and you have entire applications, databases and environments ready to use.
This is the magic of reusable components.
In the world of computers, we are standing on the shoulders of giants. Others have done the heavy lifting and the hard work. We don’t have to worry about putting pixels on the screen correctly in order to make a window or a button. We just use the components (also known as libraries or packages) of our choosing.
This lets us develop software much faster and cheaper than before.
Faster and cheaper
By standing on the shoulders of giants, by using pre-built components as a starting point for our software, software developers can reach their goals much faster. We can ship applications, packed with functionality, to market faster and cheaper than ever before.
Software developers and web developers can finish our projects and deliver applications much faster and cheaper than ever before, because we don’t have to continually reinvent the wheel.
Don’t reinvent the wheel
Start developing straight away with work done by others. When software developers write new functionality, they often put their code onto package repositories. Many choose to do this out of the goodness of their own hearts, altruism or a desire for recognition.
No matter their motivations, when we start developing our own software, we can use the freely available components as a starting point in our application.
When freely available without copyright or licensing requirements, we call this reusable functionality “open source code”. Open source code components have become the basis for much of the internet and modern software.
Nearly all software contains reusable components
Virtually all software, websites and applications now contain freely available components and open source code. Most developers (and companies) face limited budgets and limited time. Reaching their deadlines would be impossible without relying on open source.
Focus on security
Are you an expert in cryptography? Are you an expert in computer graphics? What about networking protocols? The open source implementations of complex computing problems will be much more secure than anything most developers could hope to match.
Dozens of developers contribute to open source projects. And teams of developers continually audit and improve the code.
You know what they say about the wisdom of the crowd.
These “crowds of developers” are the software giants of the modern world. And these giants of software build the framework on which we stand.
But sometimes the giants stumble…
Mistakes slip through the cracks
Many times, bugs slip through the cracks. Either by chance, or on purpose, bugs sneak past the teams of open source developers and make it to release.
Hackers make a business of finding these bugs and turning them into crashes. And crashes quickly turn into hacks and vulnerabilities.
Perhaps the most egregious example of a popular software package falling prey to mismanaged bugs was OpenSSL. This software underlies the secure communications of most web and application servers across the internet. But in 2014, OpenSSL was found to contain a critical problem with input validation.
Hackers found this bug and forced vulnerabilities in OpenSSL-based servers.
Before the bug was fixed, hackers stole social security numbers, health data, personal data and financial information.
How to protect your website (and your business)
Streamline all components, plugins and scripts on your site
Ask yourself, what functionality do you need on your site? What is unnecessary?
The best case scenario is that unnecessary components are merely slowing down your site. Click here to learn how to speed up your website. In the worst case, unnecessary components will open vulnerabilities in your website.
Remove unnecessary or unused components from your site, as they might open you to vulnerabilities in the future.
Update plugins, resources, components and scripts
Of the plugins and components you elect to keep, make sure they are updated to the latest versions. Set your site to auto-update, if available. Continually audit and review the plugins, scripts and resources on your site.
Use a vulnerability scanner
Try a website vulnerability scanner like Invicti, Netsparker or Nikto. These programs will deep scan your site for any components with known vulnerabilities, making sure that none slip through the cracks.
Update your server (or make sure your team does)
If your operating system isn’t secure, then there’s little chance your website will be secure. Whatever your chosen server operating system (Linux or Windows), make sure it’s up to date.
Sure, installing patches can be a hassle. But this is a necessary step to securing your online business.
Also make sure any components in the web pipeline are kept secure and up to date, including your database and web server (Apache, IIS?).
Stay up to date on security news
Reusable components are everywhere. Open source, reusable components are part of the modern web development and software development world. In fact, our jobs as developers might be impossible without them. Open source components make our lives easier and our applications more secure.
But if you don’t watch out and keep up to date, your website could be vulnerable by way of using components with known vulnerabilities.
Review everything on your site. Streamline your resources, scripts and plugins. Dump what you don’t need. Make sure all remaining components are up to date. Don’t neglect your web server and application pipeline. Scan your site and stay updated on the latest cybersecurity news.