This post, by Nick Rea, RunSafe Security’s VP, Market Development, originally appeared on the Oracle Cloud Infrastructure Blog:
Managing cybersecurity vulnerabilities for organizations of any size is no small task. For organizations that produce their own code, they’re a step ahead with access to the code itself. But what about organizations that use third-party code or open source code?
In today’s world, this example represents most organizations. Myriad tools exist to help identify and remediate vulnerabilities, especially for open source code, but is that enough? While these tools are excellent, they still rely on the original developers and maintainers to “fix the bug,” and security bugs are as prevalent as ever.
According to recent research, open source vulnerabilities rose by almost 50% in 2019 over the previous year. Also, even though 85% of open source security vulnerabilities have a patch available, more than 50% of systems running that code don’t get updated, ultimately leaving them open to attack.
If we break down the vulnerabilities and look at the types that are the most prevalent and the most dangerous, memory corruption emerges as a significant threat. RunSafe research found that common code scanning tools uncovered memory corruption about a third (34%) of the time. However, our research also indicated that only 12% of the memory bugs were acted upon by developers. When acted upon, the mean time to resolution was 98 days. Some went several years. Moreover, of all these bugs, 59% of the vulnerabilities had known exploit scripts available. In short, memory bugs get missed, they don’t get fixed quickly, and they’re often easily exploitable.
Implications for a World Migrating to the Cloud
As the move to the cloud continues, open source infrastructure moves along with it. With that move comes a shift to a shared security model, where both the cloud provider and the customer share in ensuring a secure system. Cloud providers have some of the best security professionals in the world protecting their infrastructure, but the burden falls on their customers to ensure that the code they migrate is equally secure. With open source code, there’s historically been limited options beyond scanning and patching. Luckily that’s changing, and modern code hardening techniques are proving to be both an extra option and an enhancement to open source security overall.
RunSafe Security has developed Alkemist, a novel solution that introduces protections against memory corruption directly in the software itself. Instead of scanning and patching, Alkemist immunizes software from attack altogether. Attack surfaces physically reduce by a third without slowing down deployment or operations.
Alkemist introduces randomization in how programs are loaded into memory. When an Alkemist hardened image launches, every time a process kicks off, its functions load into random memory locations, depriving the attacker of the consistency they need to launch a successful memory-based attack. No need for any configuration or monitoring; the code proactively and intrinsically protects itself.
Alkemist Protected Images Expand on Oracle Cloud Marketplace
RunSafe has built Alkemist protections into common open source IT infrastructure solutions, such Apache, Nginx, Redis and Memcached among others, and published Oracle Cloud Infrastructure (OCI) optimized images on Oracle Cloud Marketplace. OCI customers can now take advantage of these turnkey options to harden the IT Infrastructure that they run in the cloud.
Scanning and patching is with us for a long time to come and it always has its rightful place in security operations best practices. But, this practice is inherently reactive. With adversaries growing increasingly sophisticated and quicker to act on weaponizing vulnerabilities, businesses need proactive solutions that they can deploy simply and easily. By swapping out your current instance of Apache, for example, to an Alkemist hardened version in OCI, you’ve instantly shrunk your attack surface by a third. Not only does this change provide better cybersecurity and resiliency, it allows scarce security resources to focus on a narrower set of vulnerabilities. In turn, resources can reallocate to more meaningful and business impacting projects. It’s a true win for all parties involved.
Want to Know More?
RunSafe and Oracle are hosting a Webinar on October 6, along with Open Source Security Experts from SANS Research Institute. During this session, the team unpacks the realities behind Open Source Security and how RunSafe is providing a newer effective way to protect your cloud-based IT infrastructure.
Secure your Open Source IT Infrastructure with RunSafe Hardened Images on Oracle Cloud Infrastructure by registering for this event.