Open-source software is used in as much as 90 percent of business applications
The good news about applications based on open-source software is that there’s a nearly endless selection of code libraries that can be used to build a nearly unlimited range of applications. Access to this open-source material can speed development, lighten the load on staff and provide a way for coders to build applications quickly and efficiently.
The problem with this open-source material is that in many cases the resulting application includes a collection of open-source libraries, the details of which aren’t always well known. Worse, those libraries may contain security vulnerabilities that are only apparent during runtime, when the code is actually put to use.
Adding to the complexity of managing these runtime vulnerabilities, many of them can be found by security scanners, but when the scanning is done, the code isn’t actually being used, so what’s being used is static, and only become relevant at runtime.
“About 85% are just not relevant, and only 15% are actually relevant in runtime,” said Nadav Czerninski, CEO of Oligo Security. This means that developers can end up focusing on fixing security issues that aren’t actually going to be part of the code that’s executed, and miss issues that are important.
Library Level Analysis
Vector open source code
Oligo Security fixes the problem by performing library level analysis and monitoring that identifies vulnerabilities during runtime. “We identify which libraries are actually loaded and running,” Czerninski explained, “we create a profile of behavior, how each library behaves on runtime. And then we can actually enforce this behavior either in a detect mode, in which you alert whenever there is a deviation, or also in a prevent mode, in which we actually block these deviations.”
Czerninski said that Oligo can report on what vulnerabilities are in the code and where they are, and can block the actions related to the vulnerabilities, but he said that it can’t actually make changes to the code or the libraries. But because developers will be able to see where the security issues lie, they can be found and fixed.
“We create a knowledge base of how open-source libraries behave and then we can enforce their permissions,” Czerninski explained, “and what they need from the operating system. By that, instead of trying to detect malicious activity for the entire application, we do it for each and every component by understanding how each behaves in runtime.”
Czerninski pointed out that open-source code makes up 80 to 90 percent of modern software, which in turn results in an attractive target for attacks by cybercriminals and nation state attackers. He said that many current scanners produce large quantities of false positive results, making finding and fixing vulnerabilities difficult. He said that by being used at runtime, Oligo is able to avoid most of those problems.
Stay connected with us on social media platform for instant update click here to join our Twitter, & Facebook
We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.
For all the latest Technology News Click Here
