What does GDPR have to do with Open Source Software (OSS)?
The answer is Data.
Developers use OSS to speed development time, so they can focus on writing code that gives them a competitive advantage. In fact, open source is so widely used that according to recent research, about 80% of a software application is made up of open source components. While this is great at speed and efficiency, it can cause some issues, because not all open source components are created equal. Some components have security vulnerabilities, and sometimes developers choose a vulnerable version involuntarily. Without empowering development teams to choose the right, healthy open source component, vulnerabilities can be exploited and personal data stolen.
With the advent of GDPR, organizations will be liable for huge fines.
The GDPR Legislation Enforces Organizations to Protect Data
Article 25 : Data protection by design and by default.
Privacy by design as a concept has existed for years, but it is only becoming part of a legal requirement with GDPR. At its core, data protection by design and default requires the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically - "The controller shall... implement appropriate technical and organizational measures... in an effective way... to meet the requirements of this Regulation and protect the rights of data subjects."
How Can OSS Make Data Unsecure?
Open source software can be manipulated based on known security vulnerabilities to gain unlawful access to data. One type of attack into open source software is Remote Code Execution (RCE). This means that arbitrary commands can be appended to the legitimate command and executed on the target system without validation. For example:
<genuine command/payload> + <appended hack command/payload>
The commands can be serialized, so it can be difficult to find the appended command. For example, if I append 'mysql && SHOW DATABASES;' I would be shown a list of the databases*. I could then begin mining for tables within the listed databases and then within the tables for, you’ve guessed it... I would have unlawful access to DATA.
Equifax Would Be Liable Under GDPR
A recent example of this type of exploitation that hit the press in September 2017 was the data breach at Equifax. 143 million personal data records were extracted over several months without Equifax knowing. This breaks many existing legislations, but should GDPR have been in place, an estimated fine of upward of €60m could have been imposed.
The saddest part about the Equifax breach is that is was entirely preventable with the right processes and tools in place. Equifax was not able to identify and isolate the vulnerable open source struts2 component in its application landscape (see CVE-2017-5638). If Equifax had known what open source components were in their software and systems via a software bill of materials, they could have reacted quickly, patching the issue at the point of disclosure, avoiding the data breach and eventual loss of their CEO and CISO.
There Is a Better Way
Sonatype Lifecycle is uniquely architected to provide the most precise open source component identification and analysis to keep your applications secure. With Sonatype Lifecycle, organizations have a complete software bill of materials and are automatically notified when using a vulnerable component the day the vulnerability is disclosed. And, the rich intelligence provides security teams and developers with guidance on which version they should move to remediate the issue.
Organizations all over the world use Sonatype Lifecycle to automate open source governance and secure their applications early, everywhere, and at scale. They also have the added benefit of being ahead of the curve when it comes to GDPR compliance.
* This example assumes mysql was initialized as unsecure. However, obtaining the password for the mysql user is relatively simple if the web container is running as a super user.
Written by Ryan Sheldrake
Tags
Try Nexus Repository Free Today
Sonatype Nexus Repository is the world’s most trusted artifact repository manager. Experience the difference and download Community Edition for free.
