What does GDPR have to do with Open Source Software (OSS)?
The answer is Data.
Developers use OSS to speed time to development so that they can focus on writing code that gives them a competitive advantage. In fact, open source is so widely used, that according to recent research, about 80% of a software application is made up of open source components. While this is great at providing speed and efficiency, it can cause some issues because not all open source components are created equal. Some components have security vulnerabilities and sometimes developers choose a vulnerable version involuntarily. Without empowering development teams to choose the right, healthy open source component, vulnerabilities can be exploited and personal data can be stolen.
With the advent of GDPR, if that happens, organisations will be liable for huge fines.
The GDPR legislation enforces organisations to protect data
Article 25 : Data protection by design and by default.
Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with GDPR. At it’s core, data protection by design and default calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically - “The controller shall..implement appropriate technical and organisational measures..in an effective way..in order to meet the requirements of this Regulation and protect the rights of data subjects.”
How can OSS make data unsecure?
Open source software can be manipulated based on known security vulnerabilities to gain unlawful access to data. One type of attack into open source software is Remote Code Execution (RCE). This means that arbitrary commands can be appended to the legitimate command and executed on the target system without validation. For example:
<genuine command/payload> + <appended hack command/payload>
The commands can be serialized so it can be very difficult to find the appended command. For example, if I was to append ‘mysql && SHOW DATABASES;’ I would be shown a list of the databases*. I could then begin mining for tables within the listed databases and then within the tables for, you’ve guessed it….. I would have unlawful access to DATA!
Equifax would be liable under GDPR
A recent example of this type of exploitation that hit the press in September 2017 was the data breach at Equifax. 143 million personal data records were extracted over several months without Equifax knowing. This breaks many existing legislations, but should GDPR have been in place, an estimated fine upward of €60m could have been imposed.
The saddest part about the Equifax breach is that is was entirely preventable with the right processes and tools in place. Equifax was not able to identify and isolate the vulnerable open source struts2 component in its application landscape (see CVE-2017-5638). If Equifax had known what open source components were in their software and systems via a software bill of materials, they could have reacted very quickly, patching the issue at the point of disclosure, avoiding the data breach and eventual loss of their CEO and CISO.
There is a better way
Sonatype’s Nexus Lifecycle is uniquely architected to provide the most precise open source component identification and analysis to keep your applications secure. With Nexus Lifecycle, organisations have a complete software bill of materials and are automatically notified when using a vulnerable component the day the vulnerability is disclosed. And, the rich intelligence provides security teams and developers with guidance on which version they should move to in order to remediate the issue.
Organizations all over the world use Nexus Lifecycle to automate open source governance and secure their applications early, everywhere, and at scale. They also have the added benefit of being ahead of the curve when it comes to GDPR compliance.
* This example assumes mysql was initialized as unsecure. However obtaining the password for the mysql user is relatively simple if the web container is running as a super user.