Open Source Security in a Nutshell
Open Source software offers an abundance of advantages for developers and organizations. It unbelievably accelerates the development process as it provides access to a vast collection of pre-built modules, enables collaborative development and rapid prototyping, adheres to open standards, promotes agile development methodologies, and reduces the cost of development by eliminating the need to build software from scratch. Today, open source constitutes 80%-90% of modern software applications. As the number of CVEs in open source libraries continues to grow, and the architecture of cloud environments gets more complex, securing applications has become a complicated task that requires a deeper understanding of the runtime environment.
The awareness to open source risks grew vastly with the past year’s publications of severe open source vulnerabilities such as Log4Shell, Text4Shell, Spring4Shell, OpenSSL, Pytorch, and many more. Security tools brought to life for helping organizations ship secure code to production. By integrating into the applications’ code base, build process, and CI/CD pipeline, these tools provide developers and security teams with a list of theoretical issues. This list contains CVEs of the required open source libraries of the applications, regardless of their state and context in the runtime environment. There’s a huge gap between the potential risk and the actual threats in the runtime environment. Only 15% of CVEs scanned with traditional solutions are posing a real risk, and the other 85% are irrelevant, resulting in lots of false positives and noise.
What Traditional Security Approaches are Missing
Developers and security teams often face a significant challenge in prioritizing open source risks. They struggle to answer basic questions about runtime visibility. It's critical for teams to be able to locate open source libraries in production and discover their runtime state, track their behavior, and delve into the details of their function execution. It's also important to understand the capabilities of the asset containing the exploitable library and the access privileges of that asset, all of which are essential for achieving precise prioritization.
It's usually impossible for the teams to handle all the security issues in their scaled and complex environments, even if they are able to prioritize and minimize the list of issues, most of the time it’s unfeasible to fix them all. For example, there are CVEs without an available patch or multiple CVEs referring to the same library that are published in a short time, and it becomes impossible to keep track of their security fixes. All of this means that security teams are left with exploitable applications in production, staying totally defenseless, and without the ability to even be aware if a vulnerability has been exploited in real-time. Needless to say, teams can’t stop those attacks from happening, and of course, they can’t just shut down the production servers.
When it comes to threat detection, traditional security tools examine applications’ overall behavior, which can be a difficult task given the complexity of modern applications that encompass numerous functionalities. This wide approach often leads to inaccurate detection of malicious activity that results in both false-positive alerts and failure to detect true breaches. However, by breaking the application into its open source libraries that it consists of, and examining the behavior of each individual library, it becomes apparent that each library has an expected behavior based on its role.
Refreshing Open Source Security with Runtime Perspective
With a patent-pending eBPF-based technology solution, Oligo is revolutionizing the open source security world. Oligo is providing clear visibility to open source libraries at runtime and precise risk prioritization, thereby eliminating noise and helping teams focus on risks that matter the most and make informed decisions on managing security efforts properly and efficiently. This results in saving critical time for developers and security teams. Oligo secures applications in a zero-trust approach by analyzing the application’s behavior at its library-level. With this approach, Oligo detects malicious behavior that couldn't have been detected otherwise.
Oligo enables teams to focus on what’s happening in the runtime environment by leveraging runtime intelligence on open source security. Oligo reveals the application runtime context which refers to the environment in which the application is running, the resources that the application has access to, and the privileges and capabilities that the application holds. Oligo also discovers the library runtime state and sheds light on the execution phase of the library: installed, loaded to memory, or actually running. Taking these insights into risk assessment considerations, Oligo provides prioritization based on real-time data.
Oligo offers a unique and proactive threat detection solution for open source libraries, detecting malicious activity based on open source library profiling. Oligo creates a unique profile for each open source library. For instance, Oligo can determine that PyYaml, a python open source YAML parser library, should not invoke code execution. When an attack occurs, Oligo detects the deviation in the open source library behavior and identifies it as malicious activity.
Oligo pinpoints open source risks within the runtime environment and reveals the execution behavior of the open source libraries within the applications in real-time. With Oligo’s unique detection mechanism, teams can be aware of risks in runtime environments, and understand what is happening with vulnerabilities that haven’t been mitigated yet. Most importantly, teams can understand if there was an abuse of a vulnerability in real-time.
Let’s take the Log4shell vulnerability as an example. A critical vulnerability was discovered in a very commonly used logging open source library. Organizations tried to tackle this incident by understanding which assets in their production environment are accessible to an attacker for exploiting the vulnerability. Using traditional security tools, teams got lists of their applications where the Log4j library existed. Unfortunately, the lists were very long, and with no accurate prioritization. While trying to prioritize the given lists, teams tried to figure out which assets were internet-facing, where Log4j was loaded to memory or actually running, and where the vulnerable function was running.
Collecting and combining all this information required complicated analysis. Meanwhile, the business’ servers were exposed, and critical time for the organization was burning. Oligo’s approach makes risk prioritization simple and saves critical time for teams and organizations that had to do this labor-intensive work in the past. Needless to say, this work is a huge time consumer, not scalable, and can’t keep pace with the evolving cloud environment complexity.
Oligo exposes runtime intelligence that is crucial for risk prioritization and helps teams get a deep understanding of the runtime environment. For example, internet-facing is a basic requirement for exploiting the Log4shell vulnerability. With Oligo, teams can easily understand whether an asset that contains Log4j is exposed to the internet. Oligo uncovers the libraries’ state within the asset, and teams can be aware of the assets where Log4j is observed running or loaded to memory. Teams can discover which functions of Log4j have been executed and understand if the vulnerability was abused. More than that, Oligo brings the ability to understand what was the behavior of Log4j library at runtime, making it trivial to be aware if there was exploitation.
Oligo is revolutionizing the open source security world by offering a unique runtime security approach that helps teams get a comprehensive understanding of their applications and their risks at runtime.
Our goal at Oligo is to simplify the task of ensuring application security. We accomplish it by offering teams a transparent view of their runtime environment and providing precise risk prioritization, thus focusing on the most critical risks. With our distinctive approach, we enable teams to monitor open source risks during runtime, attain a thorough understanding of the application’s runtime and detect malicious activity.