Out-Law News 3 min. read

Oversight of use of open source code crucial as GDPR approaches, says industry expert


Organisations should take steps to improve their oversight of the use of open source code in software deployed within their business before new EU data protection laws begin to apply, an industry expert has said.

Mike Pittenger, vice president of security strategy at Black Duck Software, told Out-Law.com that many businesses either remain unaware that they are running popular open source components within their software at all or that security vulnerabilities exist in the versions of that software they are operating. This is despite the profile of open source software security risk being raised by media coverage in recent times, he said.

Failing to manage the security risk properly could lead businesses to being issued with heavy fines under the General Data Protection Regulation (GDPR), which will apply from 25 May 2018, Pittenger said, should security vulnerabilities be exploited by hackers to compromise personal data.

Businesses face fines of up to 4% of their annual global turnover, or €20 million, whichever is the greatest, under the new Regulation.

"The financial penalties are large enough to get everyone's attention, under GDPR," Pittenger said.

He said the GDPR, like the PCI industry standards that apply to credit cards, and US regulations that apply in the health and nuclear energy sector, are alike in that they all require organisations to be aware of IT security vulnerabilities and make a plan for addressing them,

Businesses may have traditionally thought of those requirements as entailing a duty to update software when vendors make them aware that a security vulnerability exists and that a patch is available, Pittinger said. However, he said the increasing adoption of open source code within applications developed by businesses has made it more difficult to stay up-to-date with emerging security risks.

Pittinger said this is because there is no system within the open source community to alert businesses when vulnerabilities are identified in the versions of software they are running. Instead, it is up to businesses to proactively monitor for vulnerability updates and apply any patches released, he said.

"A lot of software organisations build and consume flies under the radar for that because you are not getting patch information or are aware of vulnerabilities in the first place," Pittinger said. "Not getting alerts from the open source community does not exempt you from complying with the GDPR standards."

Earlier this year, Black Duck published a report which outlined the security risks it had identified in software components it had audited.

According to the report, the average commercial software application has 147 unique open source components in it. Black Duck said each application contains, on average, 27 vulnerable open source components and the average age of each publicly known vulnerability it identified was over four years.

Earlier this month, the UK's Information Commissioner's Office (ICO) imposed a £100,000 fine on Gloucester City Council over its failure to fix a weakness in the security of its website, which related to its use of open source software.

According to the ICO, Gloucester City Council failed to ensure software it was using was updated to fix a vulnerability in coding known as the 'Heartbleed' bug, which was identified in April 2014 as existing in some versions of encryption software developed by via the open source 'OpenSSL Project'.

Although IT staff at the council flagged the need to update the software, a patch issued for the software was never applied, the ICO said. The patching was "overlooked" at a time when the council was outsourcing its IT to a third party supplier, it said. The vulnerability was exploited by a hacker who was able to access sensitive personal data relating to between 30 and 40 current and former employees of the council.

Pittinger told Out-Law.com that despite widespread publicity about the Heartbleed bug, and availability of a patch to fix the vulnerability, Black Duck had identified it in almost 2% of the code bases it had looked at last year.

The Heartbleed bug was the first time a security vulnerability with a popular open source component was widely publicised, Pittinger said. Since then, however, a further 89 additional vulnerabilities have been identified in OpenSSL, he said.

Use of open source is gaining popularity due to the improved functionality, lower development costs and accelerated time to market that it provides businesses, Pittinger said. However, he said that it is almost impossible for businesses to manually monitor for updates on vulnerabilities spotted within open source code, as about 3,000 new vulnerabilities are identified each year, especially where they are running hundreds or thousands of applications in their organisations.

Pittinger said businesses should consider automating the monitoring process and advised them to apply some due diligence to ensure security risks are properly managed.

"We would recommend going to talk to the head of software development or head of information security and ask them to produce a list of open source components they are using," Pittinger said. "I would also ask them how they compiled that list and how they ensure that nothing slips through."

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.