You can't attack: half of software development libraries contain vulnerabilities
Experts told Izvestia that about 50% of popular open source software development libraries contain vulnerabilities. Through them, hacker attacks can lead to the leakage of confidential company data, as well as personal data, suspend the work of internal systems or introduce malware into the security system. To prevent attacks, experts recommend installing anti-virus software and regularly update applications.
How hackers steal user data
Every second of the popular open source software development libraries (where developers take available tools to create new products) contained a vulnerability in one of their versions. This was told to Izvestia by AppSec Solutions, which analyzed open sources. The majority of such libraries are developed by enthusiasts or small teams, which often do not have the resources for regular security audits or do not have the necessary skills in the field of information security, explained Oleg Ulanov, an expert of Infosecurity (Softline Group of Companies).
Open source software is a kind of lottery, says Evgeny Yanov, head of the audit and consulting department of F.A.C.C.T. company. Evgeny Yanov. Open source code gives attackers an opportunity to scrutinize it and find vulnerabilities they can use for illegal actions, he said.
- For the average user, the danger is that vulnerabilities can be used to steal data, finances, infect devices with malware or other forms of attacks. For example, if an application on a smartphone uses a vulnerable library, attackers can exploit it and gain full control over the user's data," Oleg Ulanov said.
For developers, the risks are even greater - hackers through them can attack the infrastructure of companies, which is fraught with complete compromise of user data, disruption of business processes up to the loss of business, he said. In addition, the exploitation of vulnerabilities by attackers leads to reputational losses, which will definitely affect the financial well-being of the company.
Anton Kutepov, head of IS community development at Positive Technologies, believes that the consequences of such vulnerabilities can range from minor to extremely serious, including data leaks. However, reputational risks are still an important aspect for developers who use open source libraries. If a vulnerability is discovered, the most important thing is to quickly update the version in use, he explained.
Microsoft, for example, has established a mechanism for promptly fixing such problems and has a program to encourage researchers who report to the vendor about the found vulnerabilities, the expert added. In total, according to Kaspersky Lab, more than 12,000 vulnerable open-source solutions are known to date.
On December 19, 2024, the head of Roskomnadzor Andrei Lipov said that in the first 11 months of 2024, the agency recorded 127 cases of distribution of databases on the Internet containing more than 680 million personal records. The law, which the State Duma passed in late November, toughens penalties for personal data leaks, the agency recalled. The new liability measures will encourage companies to take personal data protection more seriously.
How to secure personal and corporate data
Modern software development rarely starts from scratch. In most cases, ready-made solutions are used to reduce the time of product creation, said Sergey Smirnov, head of the DevSecOps cluster of the Sphere platform (T1 IT holding). According to market experts, the share of overused libraries in projects can reach 80%, the expert emphasized.
- When a library becomes popular, the number of its users grows, which, in turn, increases the probability of vulnerability detection by both specialists and attackers," the expert said.
Another reason for the large number of vulnerabilities is a decrease in the quality of programming in general, said Oleg Bosenko, director of the cybersecurity department at IBS.
- It is high quality of programming, elaboration of processes, testing of program modules that allow to exclude vulnerabilities. The obstacle is the desire to speed up the launch of the product on the market. And then a raw, not tested in detail product gets into the library," he explained.
The overall risk is obvious - a decrease in the level of security as a whole, the formation of channels of destructive influence, data leaks and so on, the expert emphasized.
According to Sergey Smirnov, to prevent the consequences, users need to install anti-virus software and regularly update applications. For developers, in turn, there are specialized tools that allow to minimize risks at the development stage - for example, static, dynamic code analyzers.
Audit of the applied solutions is extremely important, added Oleg Ulanov from Infosecurity, checking the code of third-party and in-house libraries for security helps to identify weaknesses in advance, which can be eliminated before use. For this purpose, third-party security analysis specialists can be engaged to provide a detailed report with recommendations, he added. In addition, it is important to regularly track vulnerabilities in the libraries used and update them, he added.
