The digital world is heavily dependent on software, from open source solutions to customized enterprise software. But how secure are these applications really? As part of the CAOS project (Code Analysis of Open Source Software), we have, on behalf of the BSI, performed six comprehensive security analyses of various open source applications over the last three years. Numerous vulnerabilities were discovered, highlighting that software security is a continuous challenge.
Results from the CAOS project: Security gaps almost everywhere
Vulnerabilities were identified in almost every application tested. The spectrum of problems discovered ranged from minor security gaps to critical risks that could compromise user accounts and systems. Here are a few examples:
Nextcloud
- An attacker could bypass the two-factor authentication (2FA) by manipulating verification requests. This makes it possible to compromise an account even with stolen access data.
- An authentication mechanism was missing for file exchange between Nextcloud instances, allowing an attacker to impersonate another person and potentially distribute malicious files.
- Integrated external storage could be used without renewed authentication, allowing attackers to intercept and misuse access data.
Vaultwarden
- A missing offboarding process meant that outgoing members of an organization continued to have access to encrypted data.
- The security review for emergency access was insufficient, allowing an attacker to escalate administrative privileges.
Mastodon
- Multiple Cross-Site Scripting (XSS) vulnerabilities in the dependency to Sidekiq allowed attackers to inject and execute malicious code.
- Missing password policies allowed users to employ trivial or easily guessable passwords, facilitating brute-force attacks.
- Rate limiting could be bypassed, allowing attackers to perform a large number of login attempts.
BigBlueButton
- Two registered CVEs for Stored Cross-Site Scripting vulnerabilities allowed attackers to permanently inject malicious scripts into the platform.
- Valid room names of an instance could be found out by brute force, on which further attacks could be based.
Jitsi
- Although no critical security vulnerabilities were identified, there were numerous known vulnerabilities in used dependencies that could represent attack vectors for future exploits.
eID-Plugins (WordPress, Nextcloud)
- One, very limited exploitable, Cross-Site Scripting vulnerability, which made it possible in certain situations to execute scripts in the context of the user session.
These findings highlight the need for continuous security reviews to identify and address risks early on.
Security vulnerabilities are not just an open-source problem
It is often assumed that open-source software is particularly susceptible to security vulnerabilities. However, the reality shows that self-developed, purchased, or hosted software is subject to the same risks. Reasons for this include:
- Dynamic development processes: Constantly growing code bases and feature updates increase the complexity and risk of new vulnerabilities.
- High time pressure: Developers are under pressure to deliver new features quickly, which often leads to security checks being neglected.
- Complex dependencies: Modern software projects use numerous external libraries that may contain potential security vulnerabilities.
Since software is constantly evolving, security measures must also be dynamic and continuous.
Continuous monitoring vs. one-time review
A one-time penetration test is like a snapshot. However, the security situation of an application can change within a very short time. Companies must therefore rely on long-term and continuous security strategies instead of relying on occasional checks. Best practices for this are:
- Shift-Left principle: Integrate security checks early into the development process to identify and fix vulnerabilities during the development phase.
- Regular security analyses: Continuously perform static and dynamic analyses to identify security risks early on.
- Automated security monitoring: Use tools such as SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) to automatically identify vulnerabilities.
➔ Takeaways
- Security is not a state but an ongoing process.
- Even seemingly „small“ vulnerabilities can have serious consequences if they are not closed in time.
- Security reviews must be an integral part of the SDLC, similar to functionality or performance tests.
How to maintain control over your security posture
A strategic approach is crucial to effectively minimize security risks. Companies should proceed systematically and prioritize the following measures:
- Security Posture Management: Monitor the overall security status and continuously adapt it.
- Automated Security Review: Conduct regular analyses with specialized tools to identify vulnerabilities early on.
- Software Supply Chain Security: Review the entire software supply chain to minimize vulnerabilities in external dependencies.
- Security Awareness: Conduct regular training and targeted awareness measures for developers and employees.
➔ Takeaways
A structured approach and automated monitoring help to minimize risks early on.
Technical measures alone are not enough; organizational processes and training are essential.
Security analyses:
Our solution: How we can support you
We offer companies tailored solutions to strengthen their software security:
- mgm Atlas:
- Holistic view of all identified security vulnerabilities
- Continuous monitoring and regular review
- Seamless integration into CI/CD processes
- Our service portfolio:
- Penetration tests to identify vulnerabilities
- Continuous Application Security Testing for proactive security measures
- Secure Code Reviews to improve code quality
- Needs-based consulting and individual security strategies
- Using LAS (Lean Application Security) to seamlessly integrate security into the development process.
- Additional services:
- Security awareness concepts for all employees in the company
- Secure Coding Trainings to improve security practices
- Individually adapted security concepts for companies of all sizes
Conclusion: Security reviews as a key factor for trustworthy software
Without continuous security reviews, it becomes increasingly difficult to keep software secure and trustworthy in the long term. Companies must firmly integrate security measures into their development and operational processes. Our expertise and tools will help you to successfully master these challenges.
