Nate Silver's 2012 book "The Signal and The Noise" crisply explains the inevitability of earthquakes and the accuracy with which their frequencies and magnitudes can be predicted. The smoothness of the plot relating these two variables – a visualization of the Gutenberg-Richter law at work – is striking.
Earthquakes follow a power-law distribution. In this particular case, for a roughly one point increase in magnitude, the frequency of occurrence drops by a factor of 10, while the energy released increases 32-fold. This exponential relationship leads to very few events, causing a disproportionately large impact, including Fukushima, Haiti and Jakarta. This is also a characteristic of application security breaches, with Equifax being the highest impact breach in history. Many low impact events – most you never even hear about – punctuated by the rare, catastrophe.
Despite being able to accurately predict the likelihood of a certain magnitude earthquake in different geographies, we still cannot determine when or where a particular event might occur. Given enough time, high magnitude earthquakes are an inevitability no matter where you might live.
Similarly, it is impossible to determine when the next major open source vulnerability will be announced, and how and where it might be exploited. However, like earthquakes, such events are inevitable.
Open Source Exploits and Power-Law Distributions
As the complexity of software continues to increase, so does the difficulty in keeping it secure. More recently, this challenge has grown even faster with the explosion in open source software and the many hidden complexities that come with it. The ground beneath applications has slowly shifted over the last 20 years, as technology stacks have converged on common, open platforms. If left unchecked, the combination of bad actors, growing software complexity, and suboptimal software supply chain hygiene – poor use of open source – makes successful attacks not only an inevitability, but increasingly likely and with much greater impact. These conditions approximate a power-law distribution relating to open source exploits and their corresponding impact.
Because of the understood inevitability of earthquakes, building codes are used to significantly reduce the impact of major quakes and in many cases prevent catastrophe. The Haitian earthquake of 2010 resulted in hundreds of thousands, with over a million people left homeless in the aftermath. This event impacted the neighboring Dominican Republic – occupying the same island as Haiti – dramatically less due primarily to construction quality.
Similar "building codes" can be used in the development of software. In this case, the requirements require high levels of software supply chain hygiene, which can be achieved by leveraging automation and other tooling to effectively manage the use of open source software. Developers become empowered to make better decisions about the software components they choose to use, with their actions thoughtfully guided following the disclosure of high-impact software vulnerabilities. Bad actors will invariably continue to prey on the weak and in this case the victims will be those with poor open source hygiene – said differently, inadequate building codes.
When new widely used open source projects announce critical vulnerabilities, probes for weakness by bad actors are now manifesting within a day or two. This was the case with the Struts vulnerability, which led to the compromise of Equifax's personal data store. This timeframe will only compress as techniques for reverse engineering fixes and turning those into working exploits improve. The race is on. For those affected, the mean-time-to-remediation following these announcements must be on the order of hours to minimize exposure to attack. At the scale that many organizations are developing, automation becomes a necessity.
Be Prepared
The discovery of the next high-impact vulnerability is inevitable. We're just not sure where or when. Attackers will take advantage wherever they can, and more quickly. Are your own software building codes sufficient? Do your development, security and ops teams have the tools to respond immediately and decisively to the next major open source vulnerability?
Start preparing for the next major open source quake now. More information can be found in this prior post.
Tags
Try Nexus Repository Free Today
Sonatype Nexus Repository is the world’s most trusted artifact repository manager. Experience the difference and download Community Edition for free.