Keeping track of open-source code

Libraries of open-source code, readily available online, are a gold mine for companies that develop software. However, their use may introduce vulnerabilities. Debricked, a company founded at Lund University, scans the internet and warns users for bugs, vulnerabilities and attacks.

The web-based services and apps that help us with such matters as contacting the medical care services, the bank and various government agencies contain almost without exception computer code obtained from code libraries on the internet. Such code is known as “open-source code”. The code libraries contain huge amounts of code that has been tested and shown to be reliable in many different applications. It is most often maintained by groups of committed developers and users in various communities.

“The time needed for development is considerably shorter, and there’s no reason to reinvent the wheel”, says Martin Hell, senior lecturer in electrical and information technology at Lund University.

He believes that 90-99% of all software in systems, web-based services and apps contains at least some open-source code. A typical code base consists on average of 60% open-source code, i.e. code that is freely available online for anyone to license and use. 

“There are millions of libraries, and many are used by companies all over the world”, he says. But all software contains vulnerabilities and bugs, which opens the risk for hacker attacks. These are often directed to where they can do most damage – code that is used by many people and in many applications.

Attention was drawn to this risk and the dependencies that it involves some years ago in a Vinnova project led by Lund University, in which two departments, a research institute and several companies participated. The project resulted in a proof of concept showing that a functioning software solution was possible. During the project, software was developed that scans the internet looking for signs of vulnerability, to detect warnings and alarms as soon as they arise anywhere in the world. The concept was so well received that it was commercialised in 2018 in the Debricked AB company, with support from LU Innovation. The company continues to develop software today with around 20 employees, several them previously doctoral students in the project. The company is supported by venture capital.

“We can scan the internet and use machine learning to rapidly raise warnings, such that companies can immediately make decisions about action”, says Martin Hell.

It is not just alarms about bugs or the discovery of malware that companies can receive information about. It’s also a case of evaluating the health of the software and the community, the group of developers that maintain the code.

“The inner core of a community often consists of committed developers who do this in their free time. If one or several of them change jobs, start a family or go on sick leave, it can quickly influence how the code is developed and maintained. It takes longer for vulnerabilities to be discovered and fixed, and for the community to add new functions and maintain compatibility with other software. The strength of the community and its general health are two of the parameters that we investigate”, says Martin Hell.

%

of certain types of software contains open-source code

Another service that he and his colleagues focus on is helping companies to discover breaches of licensing agreements. This can be checked right down to the level of a single block of code. One application can contain thousands of code strings with different licences, and it can be expensive if the code is used in a prohibited manner. There are also large libraries in which the community requires that all other code that is used together with code from the library is also published as open-source. Many companies are not prepared to meet such a requirement and must for this reason use another library.

“Some companies have well established routines to manage open-source code and licences, but in many companies it is the developers themselves who choose which library they use”, says Martin Hell.

“We try to help companies to obtain an overall view with respect to vulnerabilities, health and licences. We are seeing a clear tendency that expertise is located further down in the organisation of companies instead of at management level, as it was before. We want to ensure that expertise and security awareness is passed to the individual developer, and that one member of every development group has principal responsibility for these issues”, he says.

Under the large ELLIIT umbrella, Martin Hell and his research colleagues provide the most recent results in this field. The software for communication in the 5G network, and eventually the 6G network, will contain considerable amounts of open-source code, as will most of the units and services that use the 5G and 6G networks, now and in the future.

 

 

Research Group

Research

Martin Hell, senior lecturer in electrical and information technology at Lund University.