Is there a hidden threat buried in your software stack. Is there a hidden threat embedded within your Docker container?
It's certainly not a prospect that lives outside of the realm of possibility, especially if you're not 100% sure as to exactly how the various open source components that make up your software stack or your container image were derived.
"One of the aspects of open source is that it can be forked," said Tim Mackey, the Technical Evangelist for BlackDuck Software. "If you look at GitHub today and look at the OpenSSL project, you'll see that over 2500 or 2600 different OpenSSL forks have occurred," If a vulnerability in the OpenSSL system occurs, as it did when the Heartbleed bug rose to fame, only the mainline, unforked version of the project will be tagged as being problematic. If the Docker container you downloaded is using a forked version of a piece of open source software, or your cloud computing stack uses a highly customized derivative, you may very well have a hidden threat buried within your system that you won't be able to identify before hackers identify it for you.
The hidden threat from forking
"Let's say you've taken OpenSSL you've forked it, maybe you've removed a cipher suite or maybe you've added a cipher suite, embedded it into your set of dependencies and then it's moved on to someone else who has modified it ever so slightly, and then the process repeats, and you end up with it embedded in your application stack. Maybe it becomes the base image for your container? You may not be aware that you are in a vulnerable state," said Mackey, speaking to the fact that without a proper understanding of how Open Source software is both created and curated, there could be innumerable hidden threats lurking in your software.
And of course, one of the reasons Node is so compelling is because changes and enhancements are happening so quickly. But the downside is that packages can change several times a day, and with NPM, you're not exactly sure where the packages you're being supplied are coming from. "Because things are moving rapidly, a fork of a component can happen many, many times, and when an issue is raised in the intermediate stream of forks, it becomes much more difficult to recognize where the vulnerable code exists and where it doesn't," said Mackey.
So what is an organization to do? The key is to know exactly what software makes up a given software stack, and to understand which pieces of software come from a projects main trunk, and which pieces of software might be derivatives that are well removed from the mainline branch. Of course, that's not always an easy task, especially when even the simplest software projects can link to hundreds of open source archives, but it's a necessity if organizations want to maintain secure software stacks that are free of any embedded and hidden threats.