Last December, the British government revealed that 2021 was a record year for tech investment in the country, with £29.4 billion pledged in British tech. This figure marked a 2.3x increase on 2020, which is the largest year-on-year growth since 2013/14. The industry is booming, with the UK storming ahead of European rivals– second place Germany received less than half of the UK’s funds at £14.7 billion. It is therefore a key time for investors to tighten up their investments and ensure that these new tech-driven assets are safe and secure from day one. Guillaume Acard, CTO at Vaultinum provides some insight for SMEToday’s readers.
When investing in tech, encountering open-source software (OSS) is almost a given. According to data from Open UK, 89% of companies are running OSS for their day-to-day operations, with OSS contributing £46.5bn to UK business as a whole in 2020. OSS therefore offers many benefits, both to individual businesses and the national and global economies. But what are the potential risks, and how can they be mitigated?
Defining OSS and its deployment in enterprise
OSS is a type of software that is created by a community of developers operating on shared values of collaboration. As such, OSS code can be inspected, copied, modified, and redistributed relatively freely by developers, allowing them the liberty to adapt and rewrite sections of any given programme.
The development and usage of OSS within businesses is booming. Half of all contributors on Github, the popular software development hosting site, say that are mostly writing code as part of their role within a private company, rather than doing so as a student or for a hobby. There is good reason for this: OSS provides a strong alternative to using application software or writing all code in-house. Open-source code tends to have a lower rate of obsolescence, as the community can work as a hive mind for any required updates or bug fixes. OSS can overall be cheaper too, as it allows businesses to take advantage of pre-existing code in comparison to writing everything from scratch. The community also provides strong talent opportunities for businesses that want to cut costs and work with freelancers from time-to-time, or to plug a hiring gap.
Spotlight on Log4Shell: Avoiding cyber vulnerabilities
There are nevertheless some significant risks with using OSS which, if not appropriately mitigated, could cause devastating financial and reputational damages. As open-source code is external to the organisation, vulnerabilities can arise at any time, which can have a knock-on effect on business operations. The recent example of vulnerabilities in popular open-source logging framework Log4j is an excellent example of the potential dangers that can be associated with OSS.
Log4j allows software developers to log data within their applications, used ubiquitously in enterprise software. A vulnerability in the logger that allows attackers to control vulnerable devices was made public knowledge in early December 2021, having existed undetected since 2013. Hackers take advantage of the vulnerability to gain remote control over victims’ computers for a variety of purposes, such as sending spam, cryptocurrency mining, and ransomware attacks. Once the vulnerability was made public knowledge, cyber security group Check Point saw more than 100 attacks per minute.
The Apache Software Foundation, an American non-profit corporation which supports a variety of OSS projects including Log4j, gave the vulnerability a severity rating of 10, the highest available score. Big names in the tech industry were affected, with Microsoft, Amazon, and Google Cloud data all reported to be potentially vulnerable to attack. Some have gone as far to say that the Log4Shell incident is the most critical vulnerability ever, citing its severity, simplicity, and pervasiveness as an explanation for this. The incident certainly demonstrates that companies have a hyper-dependency on open-source code, meaning that in-house developers must be more proactive in regularly checking for known flaws in code and fixing their overall base accordingly.
How can businesses avoid such risks in the future?
One way that developers can assess and identify the risks in code is to deploy tech due diligence software. These tools can help to manage the usage of open-source code in broader in-house developed code bases, identifying the terms of their licenses and checking for any public active vulnerabilities, as well as updates to open-source software. In this case, tech due diligence tools would be able to identify which environments are currently exposed to the Log4Shell vulnerability, so that developers can quickly patch them up where necessary and check for updates to other software and source code within their system.
Having software due diligence tools in place and regularly auditing software is not commonplace across many businesses, particularly for startups and SMEs. However in situations like this, it can be a lifeline in helping to keep software risk free and raising an alert to potential vulnerabilities that your software could be exposed to. Another option is for businesses to place their trust in a third-party specialized in the protection and audit of digital assets. One such company, Vaultinum, carries out comprehensive software due diligence to protect your investment.
While tech due diligence tools won’t be able to anticipate vulnerabilities that are not yet widely known, companies may not even realise that they are exposed to existing bugs in their code, which is why checking software regularly must become a common practice among developers.