Apparently e-commerce companies are really bad about using open source software with known vulnerabilities. In one industry audit, 83 percent of applications used in online retail are identified as “high” risk for criminals to exploit.
All this according to Black Duck Software, maker of security and compliance products used in open source development. They audited 1,071 open source applications used in business for its 2017 Open Source Security and Risk Analysis report and found egregious security oversights by the vast majority of online retail portals.
Information superhighway to the danger zone
The open source development model associates readily with reliability, agility, and security, which, for the most part, represents the open source movement in a fairly accurate light. You can save a bunch of money on proprietary licensing and crowd-source a good deal of development, too. Here comes the “big but”—most commercially deployed open source software isn’t as secure as you think.
In fact, two-thirds of open source applications used in business have known vulnerabilities. More than half of those vulnerable apps are rated as “high” severity by the National Institute of Standards and Technology (NIST). They’re not written in obscure languages and frameworks, either—Linux Kernel v.2.6.27.7 and PHP v. 4.0.0 were the two more frequently identified in the report.
Source: 2017 Open Source Security and Risk Analysis, Black Duck Software
The vulnerabilities mentioned in the report tie back to PCI DSS compliance, the rules that credit card companies use to govern card payments. Most, if not all, apps marked in the report as “vulnerable” break PCI DSS requirement #6.
Source: pcisecuritystandards.org
Patch and update mandates are required for PCI compliance
Developers that build open source applications do have licensing obligations under the GNU General Public License (GPL). As it pertains to security, under GPL, a developer that modifies and distributes open source software must disclose the modifications before distributing on StackExchange, GitHub, or other channels. This is so recipients know they are working with an altered variant of the original software, making it clear that patch and update procedures may differ from those associated with the original application.
Less than half (45%) of audited open source software complied with GPL rules. Henceforth, a good number of open source “unknowns” wind up in commercial use. These potentiate problems with patch and update procedures; known exploits go unfixed and companies become easy targets.
Suggested practice for open source e-commerce app development
The smart move is to create outward facing applications handing data protected by PCI DSS—customer information, transactional data, payment processing, and business intelligence—making sure to use GPL compliant source code.
If you’re looking for a suggestion, check out reputable Red Hat Enterprise Linux (RHEL) middleware JBoss Developer Studio. It is a subscription-based open-source toolset designed for PCI DSS-complaint app development, and publishes security patches and advisories several times a week.
Don’t forget the firewall
Whether you’re hosting an e-commerce domain on your servers or in the cloud you need a business-class firewall for segmenting your network as per PCI DSS compliance. New firewalls and UTMs combine a proxy level of control with the speed of a packet filter.
Find and compare of the best firewalls & security appliances rated by NeweggBusiness customers (click images for product details).
