MENU
IT security

The Source Code Detectives

15 August 2024

Whether in smartphones, healthcare, the energy sector or other critical infrastructures, open-source software is used everywhere. And it’s the job of the experts at TÜVIT to test such software for security gaps and vulnerabilities.

 

Shortly before Christmas 2021, the German Federal Office for Information Security (BSI) issued a red alert: A critical vulnerability had been discovered in the open-source application known as “Log4j”. This had been used for many years by large tech companies such as Apple, Amazon, Tesla and Google, but also by many German authorities. “Everyone was really nervous because no manufacturer, hospital or energy supplier knew whether their IT products contained a version with the Log4j vulnerability,” explains Dietmar Rosenthal, an expert in source code analysis at TÜVIT. This concern was not unjustified: Cybercriminals around the world were carrying out attacks and exploiting this vulnerability. Systems and servers around the globe were shut down to install security updates. The attacks rendered some digital services temporarily unavailable.

 

Open source is everywhere

The Log4j crisis sent shockwaves through in the IT industry. Log4j is by no means the only open-source software (see box) that is found in programs or devices. “In fact, there’s not a single IT product in the world that doesn’t contain open-source software,” says Rosenthal. The programs that control our smartphones, TVs and Wi-Fi routers are often 90 percent made up of open-source software components. “Manufacturers always use them when they’re looking for standard solutions that many others have already used,” explains the expert. This saves time and personnel, which means that it saves money. This is because open-source software is not tied to one particular manufacturer. So, you don’t have to buy it or pay royalties for its use. Instead, coders can use and reproduce it free of charge if they adhere to the terms of use. They can also adapt the software to their own needs.

The source code of open-source software is public and roughly equivalent to the blueprint used in software development. It contains all the details and instructions for a working program. With open-source software, anyone can check and modify the source code. In the best-case scenario, it will be continuously improved by a large developer community. But the downside is that vulnerabilities can arise as the software is developed. And if they are not found and eliminated quickly enough, these can, as in the case of Log4j, be exploited by cybercriminals. Source code analysts like Dietmar Rosenthal and his team at TÜVIT are responsible for detecting such vulnerabilities.

 

Tailor-made open source

The experts at TÜVIT test highly specialised software and hardware products in which the open-source components are not off-the-shelf, but tailor-made. “It’s often no longer possible to infer from the product which open-source components have been used in it. That’s why we analyse the source code,” Rosenthal says. The key questions concern the components used in the product and whether they are being used securely. “In the past, people used to trust a product because they trusted the manufacturer. This isn’t a viable option anymore. Today, people look to see if the product that’s been developed is secure,” explains Rosenthal. The principle is known as “Security by Design”.

Politicians have also recognised this and included the term in the Cyber Resilience Act (CRA). With the CRA, the European Commission is creating legal cybersecurity standards for connected devices and services in Europe. In Germany, the legislator has so far required evaluations of operators of critical infrastructures and areas with a high interest in data protection, such as the health and energy sectors, for example. Products such as electronic health cards or smart meter gateways may only be used with a certificate. Smart meter gateways shield the home networks of electricity customers, among other things. “Manufacturers should think about source code security right from the product development stage,” says Rosenthal.

 

International test criteria

TÜVIT has been recognised by the BSI as a testing body for security evaluations according to the international standard of the Common Criteria since 1991. The experts test the software and hardware of routers in hospitals, for example. E-health connectors of this kind connect, for example, a patient’s electronic health card with the telematics infrastructure on which the sensitive patient data is stored. “These routers themselves must be so secure that no security gaps can arise during their use,” says Rosenthal. TÜVIT’s expertise is also in demand when it comes to digitalisation in the energy sector, where smart meter gateways are used to establish the connection between the electricity supplier’s grid and the end customers.

 

Big catalogue of vulnerabilities

When it comes to source code analysis, the TÜVIT examiners take two approaches: they either use tools or do the work manually. There are tools that analyse the code automatically. These uncover possible vulnerabilities by comparing the software with corresponding databases. In the second alternative, evaluators test the security of the source code in painstaking detective work. Depending on the complexity, such an evaluation process may take anything from a few days to several months. The result is a catalogue of vulnerabilities that can get impressively thick: “In any given audit, we will find between 200 and 1,000 potential vulnerabilities,” says Rosenthal.

There then follows a kind of ping-pong between TÜVIT and the manufacturer, who must explain how it is going to make its product secure – and then actually do it. To round off the process, the security experts adopt the role of malicious hackers, carrying out penetration tests to check whether the system can withstand targeted attacks. Only when the evaluation process has been completed does the manufacturer receive a certificate from the BSI. “The evaluation by an independent third party like TÜVIT guarantees greater security and trust,” says Rosenthal. After all, once trust has been shaken, it is very difficult to rebuild.

 

What is (everything) open source?

Unlike commercial programs, the source code of open-source software is made public. It can therefore be used, changed and improved by anyone. The advantage of open source for companies and users is this: It’s free of charge to use. And you benefit from the experience and capacities of a global developer community. This explains why the use of open-source software is also promoted by the EU, among other players. Open-source software has different orders of magnitude: Open-source modules such as Log4j perform a special task in all the software that controls a web server, for example. Log4j was developed for the open-source web server Apache, which runs on over half of all servers worldwide. OpenOffice or its successor LibreOffice offers an open-source alternative to Microsoft Office, and GIMP is an open-source variant of Photoshop and the like. The Firefox web browser and the Linux operating system, which runs on the vast majority of Wi-Fi routers, TVs and infotainment systems in cars, are likewise open source.

About Dietmar Rosenthal

Dietmar Rosenthal is an expert in source code analysis at TÜVIT. The mathematician and medical technician is accordingly concerned with the search for security gaps and vulnerabilities in the source code of open-source software.