Cybereye | What's in your app?
Commentary: Be on the lookout for 'code creep,' as undocumented software works its way into your applications.
- By William Jackson
- Nov 03, 2008
One of the big difficulties in making sure that applications are secure is that all too often even the people who create them don't know what is in them.
Palamida Inc., an open-source application security company, scans about 1 billion lines of code for customers each year and claims that every customer it has worked with has undocumented open-source software inside mission-critical applications. Applications developed in the past five years ' whether created internally or externally ' typically contain at least 50 percent open-source or other third-party components, much of it undocumented by the company's engineering or security teams, Palamida officials say.
'Most companies don't have a full inventory of the open-source code they are using,' said Mark Tolliver, Palamida's chief executive officer.
The company obviously has an interest in finding such issues because its employees make their living scanning and fixing code. But even if you doubt the figures for the amount of undocumented code in each application, there is no reason to doubt that documentation is a difficult problem in application development. No responsible development team is going to rewrite every line of code from scratch for each project when millions of lines are already available in-house or by download from open-source libraries. And reuse of software almost guarantees that documentation is likely to become vague or disappear completely in several generations of use even in the most responsible organizations.
The problem is not open-source software, which is not inherently less secure or more likely to cause problems. On average, it probably is at least as secure and maybe more secure that proprietary code because of the number of people who review it, Tolliver said.
'The open-source community does a great job of finding problems and fixing them,' he said. 'So the fix is out there.' The problem is that the code tends to creep in without being fully documented, so that administrators can't easily apply the appropriate fix or install an update. 'You can't manage and secure what you don't know you have.'
Obviously, the solution is to fully document all applications as they are developed and updated and strictly apply change control organizationwide. But just as obviously, that approach does nothing to address the problem of the thousands of applications already in use in your organization that are not going away any time soon. Institutional memory also is notoriously fallible employees leave and applications migrate.
A scanning tool can help you to identify problem areas in your software. But flagging problems does not solve them. If you do not have ready access to the source code in your applications, finding the problems and then fixing them can eat up a lot of valuable time.
Palamida has an answer, of course. It uses a tool that it likens to a specialized search engine to compare your code with billions of lines of open-source code to identify what you are using. Then any problems can be fixed or versions updated. It even provides open-source update services on a subscription basis.
I don't know if this is the only or the best solution to the problem of understanding what is in the applications you are running, but the market for such services underscores the continuing need to keep better tabs on our software. If eternal vigilance is the price of freedom, eternal documentation and scanning is the price of secure software.
William Jackson is a Maryland-based freelance writer.