Open source software is no longer limited to applications running on computers and servers. It's used in mobile devices, entertainment systems, medical equipment, and connected cars, to name a few. With open source software used by governments and practically every industry sector, finding and fixing vulnerabilities has moved beyond an "it would be nice" situation solidly into the "we have to do better" camp.
Toward that end, Mozilla launched The Secure Open Source (SOS) Fund to help pay for security auditing, remediation, and verification for open source software projects. As part of the program, Mozilla committed to contracting and paying security firms to audit projects' code, working with the project maintainers to support and implement fixes, and paying for verifying the remediation work to ensure bugs have been addressed. Mozilla will also work with the maintainers to manage vulnerability disclosure. Mozilla supplied The SOS Fund with $500,000 in initial funding and encouraged other companies and governments to support the program by contributing additional funds.
"We challenge these beneficiaries of open source to pay it forward and help secure the Internet," Mozilla said.
The discovery of Heartbleed in OpenSSL and Shellshock in Bash showed that open source software wasn't necessarily more secure than closed source applications. The idea that more eyeballs looking at the code meant vulnerabilities would be found quickly breaks down if everyone assumes someone else is looking. Some projects were tremendously popular, creating a situation where many people trusted and relied on code no one had vetted. Many people realized for the first time exactly how underfunded and understaffed some popular projects were, such as the fact that OpenSSL had only two part-time developers at work.
Especially concerning -- more than two years after Heartbleed -- there are still widely used open source projects with a single developer or two that don't have corporate sponsorship and rely on volunteer donations. These projects frequently don't have the resources or funding to focus on application security basics, to perform regular testing and remediating found bugs. Some of the projects can be found in critical applications, networking infrastructure, and services. Vast swaths of the internet rely on open source technologies. As much as 30 percent of deployed software in the Global 2000 is open source, and most modern applications -- even commercial closed-source ones -- include open source components.
"Adequate support for securing open source software remains an unsolved problem," Mozilla noted.
Fixing issues in open source software
As part of the Mozilla Open Source Support program, The SOS Fund will cover the costs of the audits themselves and help with coordination and other types of support for various widely used open source libraries and programs. Mozilla has already supported audits for PCRE (Perl Compatible Regular Expressions), a fork of the libjpeg codebase libjpeg-turbo, and the phpMyAdmin web-based admin tool for MySQL databases. The effort uncovered 43 vulnerabilities across the three projects. Mozilla worked with Cure53 for the PCRE and libjpeg-turbo's audits, and with NCC Group for the phpMyAdmin's audit.
"The initial results confirm our investment hypothesis, and we're excited to learn more as we open for [more] applications," Mozilla said.
The audit found 29 vulnerabilities in PCRE, of which one was rated critical, five as medium, 20 as low, and three as informational. The critical vulnerability was a stack buffer overflow that could have led to arbitrary code execution when compiling untrusted regular expressions, according to the report. All of the issues, except a low-severity bug, have been fixed in PCRE 10.21.
The libjpeg library, which is used by several well-known open source projects such as Chrome, LibreOffice, Firefox, and other flavors of VNC, contained five vulnerabilities. One was rated as high severity, two as medium, and two as low. The high-severity flaw was an out-of-bounds read that may not be exploitable. The two medium-severity flaws were originally flagged as denial-of-service issues, but turned out to be issues with the JPEG standard, and affect multiple JPEG implementations. The issues "can be triggered by entirely legal JPEGs, and so are not easy to mitigate in any JPEG library itself," according to the audit report, which contains suggestions as to how applications using JPEG can mitigate them in their own code. Other than the issues in the JPEG standard, all of the bugs have been fixed in libjpeg-turbo stable version 1.5.
Finally, phpMyAdmin had nine different flaws, three of them medium severity, five low, and one informational. Two issues have been partially fixed, and the remaining seven have been fixed in phpMyAdmin 4.6.2.
Project maintainers can apply for support or get more information from the Mozilla Open Source Support program page.
Supporting open source software security
Mozilla is not saying this initiative alone will fix the application security problem for open source. Security is a multistep process that requires increased investments in areas such as education and best practices. The SOS Fund will provide needed short-term benefits and industry momentum to help strengthen open source projects, Mozilla said.
The SOS Fund is intended to complement the Linux Foundation's Core Infrastructure Initiative, said Chris Riley, head of public policy at Mozilla. CII focuses on deeper investments into open source software that is used in critical applications, such as supporting infrastructure costs, development efforts, and governance. The SOS Fund's audits and remediation work aids open source software projects in the ecosystem with "lower-hanging fruit security needs," he said.
"To have substantial and lasting benefit, we need a broad range of solutions, including audits, education, best practices, and a host of others," Riley said.
As WhiteHat Security's Setu Kulkarni noted, The SOS Fund is a "step in the right direction," but it's not a stand-alone process. Security data needs to be incorporated into a risk-based application security program.
No one expects software applications to be free of vulnerabilities. But there's a big difference between looking for and fixing obvious flaws before going to production, and simply shipping with known flaws because it would take too much time to try to fix. Since software can't be bug-free, it's only reasonable that software be regularly updated so that vulnerabilities can be fixed.
While it's possible to look for and fix vulnerabilities internally within the team, audits help teams tap into security expertise outside the project to help find issues. Veracode's latest State of Software Security Report found that most applications submitted for software assessment have less than a 45 percent pass rate, and nearly three out of four applications produced by third-party software vendors and SaaS suppliers fail the OWASP Top 10 when initially assessed.
"We all rely on open source software," Mozilla said in the blog post. "We hope this is only the beginning."