May 2023 | Resource

How Private Equity Firms Can Address Hidden Security Flaws in Open-Source Software (OSS)

Don’t let vulnerabilities in open-source software lead to larger, more costly cybersecurity issues

How Private Equity Firms Can Address Hidden Security Flaws in Open-Source Software (OSS)

Cyberattacks have the power to take down entire systems and bring businesses to a screeching halt—but companies entering the sell-side process aren’t doing enough to patch key software vulnerabilities. 

It's not that businesses are ignoring cybersecurity. For years, companies have been beefing up their IT defenses, expanding disaster recovery teams and shoring up their networks and programs against unauthorized access or attack. In fact, employment for information security analysts is projected to grow 35% between 2021 and 2031 as cyberattacks mount—much faster than the average for all occupations. 

But while companies have focused on a perimeter-based approach that includes firewalls, browser isolation, and a zero-trust architecture, many have failed to prioritize identification and remediation of critical security vulnerabilities within source code of their proprietary software systems—especially those contained in open-source software (OSS). Here’s why that matters and what they can do to address them. 

Aging and abandoned open-source components are to blame 

Open-source software (OSS)—publicly accessible code developed in a decentralized and collaborative fashion—is everywhere. Found in 96% of codebases, traces of OSS code exist in virtually all applications—even proprietary ones such as Zoom. 

This isn’t an issue in and of itself. OSS is typically cheaper and more flexible than proprietary software. But it often lacks extensive vendor support and scrutiny that comes with custom-developed software, and developers are not legally responsible to maintain their codebases. That means that projects are often abandoned by developers who have little incentive to support them—especially since they often receive little to no pay.  

In fact, nearly 80% of the time, open-source libraries (collections of prewritten code) are never updated after their initial inclusion in a codebase. That can create cyber-related liabilities for private equity firms eying target companies whose software hasn’t been vetted for OSS-related issues. 

What’s worse, firms often don’t learn about these vulnerabilities until the due diligence process is well underway. 

The problem has become so pervasive that almost every diligence West Monroe has advised on has uncovered either critical or high-severity OSS security issues.  

To prepare for such eventualities, private equity firms must understand the major risks tied to outdated OSS code languishing in a target company’s architecture—and what steps they can take to address those risks. 

The paths of an OSS-based cyberattack 

It’s no secret that cyberattacks are on the rise. But what’s different about this recent wave is the target of those attacks. Last year, researchers discovered a 633% increase in cyberattacks aimed at open-source software repositories—and these have the potential to disrupt development cycles and freeze service offerings in place. 

Scripting tools have helped facilitate this new groundswell of OSS cyberattacks. By devising scripts that hammer away at countless IP addresses simultaneously, hackers can identify potential application security (AppSec) vulnerabilities with speed and precision. They can bypass user interfaces and execute specific commands, exploiting vulnerabilities within open-source projects to access and take over underlying systems, exfiltrate or encrypt sensitive data, and expand their attack horizontally to other components of a company’s IT environment. 

Once in, hackers can essentially turn a computer into a bot using remote code execution. This is useful for a multitude of illegal undertakings: stealing passwords and data, orchestrating DDoS attacks, staking cryptocurrency, and mining Bitcoin in tandem with other hacked computers. 

Just last year, a critical remote execution vulnerability in the Log4J logging framework, Log4Shell—which is used in hundreds of millions of devices around the world—allowed state-backed Iranian threat actors to install XMR crypto mining software via unpatched VMWare. Log4J is still considered one of the most severe and high-profile AppSec vulnerabilities in the last decade, and it is estimated that 4 in 10 Log4J downloads are still vulnerable to attack. 

Ultimately, private equity firms need to consider the consequences of an OSS breach based on their target company’s industry. An e-commerce enterprise system, for example, may hold credit card data and other personally identifiable information (PII) that hackers can sell on the dark web or use to make illegal purchases. Stolen medical data from a health platform can often be used in identity theft or to obtain fraudulent prescriptions.  

Private equity management teams need to consider if the risk of leaving open-source software vulnerable is worth it. Impacts of a cyberattack could cost a company to crumble under the financial weight of extortion and lawsuits and lose its reputation as a trusted service provider. 

How to minimize the risk of OSS cyberattacks—and plan for the inevitable

To start addressing outdated and vulnerable OSS software, private equity firms need to develop a 100-day plan to patch critical and high severity security vulnerabilities for newly acquired portfolio companies. Here are five measures they should take to safeguard those assets. 

1. Detect OSS security vulnerabilities 

Leadership teams should begin with the low-hanging fruit: Getting a bigger picture of how much outdated OSS their architecture relies on. To do that, they should run a software composition analysis—an automated process that identifies security, license compliance, and code quality of OSS in a codebase. From there, they can pivot to vulnerability remediation (i.e. identifying software security flaws) and rolling out upgrades or patches recommended by OSS development teams. 

2. Actively monitor environment and vulnerability exploits 

Once they’ve identified the scope of the problem, leadership teams should introduce static code analysis—an assessment that determines the quality of their code without running the software application in question—as part of their development pipeline. This safeguard will help employees flag potential exploits before new applications or updated builds are released into the production environment. 

3. Provide security development training  

Employees must be trained on—and adhere to—the Open Web Application Security Project Top Ten, an industry list of the most critical security risks to web applications that also addresses vulnerable and outdated software components. Educating software developers on these exploits—whether it be through videos, bootcamps or seminars—will go a long way toward ensuring application development prioritizes cybersecurity.   

4. Get a holistic picture of application security 

Private equity management teams should have a broad understanding of where an exploit might occur across all software applications. To map out these cyberattack vectors, they should craft a threat model—a structured representation of all the information that affects the security of an application.  
 
If the acquisition target is a smaller organization, development teams can take the lead on threat modeling; however, larger organizations may want to assign dedicated security architects to oversee the development process and monitor code reviews related to sensitive data. 

5. Be both proactive and reactive 

If your company detects a brute-force login attack—someone who's trying to hack into its environment by rolling through hundreds of passwords—what’s your organization’s playbook? 

The most secure companies have suites of tools and practices to prevent OSS breaches from happening in the first place. Leadership teams should adopt security information and event management (SIEM) technology, which can uncover suspicious activity by monitoring the company’s software environment, aggregating, and analyzing logs while also identifying intricate data patterns. Event log management tools can also supplement these security efforts by sending real-time notifications about cyberattacks to key employees. 

But should a breach occur, leadership teams must be able to detect it immediately, swiftly respond and lock down the environment. That means putting security controls in place that can serve as a roadmap in the event of an application security attack. 

AI and its implications to application security

While AI (Artificial Intelligence) can be used to automate detection and response to active cyber threats, it is also being leveraged by bad actors to identify security gaps, quickly generate code to exploit these vulnerabilities, and automate attacks. As this AI arms race expands, a simpler and more effective security strategy should prioritize mitigating OSS vulnerabilities before they can be exploited in the first place. 

Don’t downplay the importance of a proactive approach 

Managing and maintaining open-source software within any company’s systems, software, and IT environment is not only good hygiene but can also help ensure that the most valuable resources (i.e., time, money, and people) can focus on providing value to customers and ultimately to business owners and investors. 

Reacting and responding to a breach is difficult and often leads to downtime, data loss, and a damaged reputation in the market. But taking a proactive approach that catalogs the use of open-source software, identifies security vulnerabilities within those components, and prioritizes remediation of any security gaps will allow a private equity-backed company to best position itself to prevent these types of breaches and impacts from occurring in the first place. 

Explore our latest perspectives