开源软件 安全风险_3开源安全风险及其解决方法

开源软件 安全风险

Open source software is very popular and makes up a significant portion of business applications. According to Synopsys, 99% of commercial databases contain at least one open source component, and nearly 75% of these codebases contain open source security vulnerabilities.

开源软件非常流行，并且构成业务应用程序的重要组成部分。 据Synopsys称 ，99％的商业数据库至少包含一个开源组件，而这些代码库中有将近75％包含开源安全漏洞。

One of the major reasons why companies and developers choose to work with open source software is that it saves them from having to develop these base capabilities themselves.

公司和开发人员选择使用开源软件的主要原因之一是，它使他们不必自己开发这些基本功能。

Oh, and open source software is free!

哦，开源软件是免费的！

Despite its advantages, open source software tends to have vulnerabilities that might impact your data and organization. In order to give you an overview of how open source security risks can impact your business, we have listed the top three open source security risks and ways to address them.

尽管开放源代码软件有其优点，但它往往具有可能影响您的数据和组织的漏洞。 为了概述开放源代码安全风险如何影响您的业务，我们列出了排名前三的开放源代码安全风险及其解决方法。

Before we dive into the article, let’s take a look at what exactly open source vulnerabilities are.

在深入研究本文之前，让我们看一下究竟什么是开源漏洞。

什么是开源漏洞？ (What Are Open Source Vulnerabilities?)

Open source vulnerabilities are basically security risks in open source software. These are weak or vulnerable code that allows attackers to conduct malicious attacks or perform unintended actions that are not authorized.

开源漏洞基本上是开源软件中的安全风险。 这些是脆弱或易受攻击的代码，它们使攻击者能够进行恶意攻击或执行未经授权的意外动作。

In some cases, open source vulnerabilities can lead to cyberattacks like denial of service (DoS). It can also cause major breaches during which an attacker might get unauthorized access to sensitive information of an organization.

在某些情况下，开源漏洞可能导致诸如拒绝服务(DoS)之类的网络攻击。 它还可能导致重大破坏，在此期间，攻击者可能会未经授权访问组织的敏感信息。

There are a lot of security concerns when it comes to open source software. For instance, OpenSSL is an encryption library responsible for managing highly sensitive data transmission functions by a wide variety of internet-connected software including the software that runs some of the most popular email, messaging, and web services.

涉及开源软件时，存在很多安全问题。 例如，OpenSSL是一个加密库，负责通过各种与Internet连接的软件来管理高度敏感的数据传输功能，这些软件包括运行某些最受欢迎的电子邮件，消息传递和Web服务的软件。

You remember “Heartbleed”? Yes, that caused quite a stir! Yes, that was a critical open source vulnerability in a SSH library.

您还记得“ Heartbleed”吗？ 是的，这引起了很大的轰动！ 是的，这是SSH库中的一个严重的开源漏洞。

Similarly, another popular open source vulnerability was found in 2014 in Bash shell, the default command processor on many Linux distributions. It had an arbitrary command execution vulnerability that could be exploited remotely via server-side CGI scripts on web servers, and other mechanisms. This open source vulnerability is popularly known as “Shellshock.”

同样，2014年在Bash shell中发现了另一个流行的开源漏洞，Bash shell是许多Linux发行版中的默认命令处理器。 它具有任意命令执行漏洞，可以通过