Blockchain open source code is failing on security says CAST

As blockchain and cryptocurrencies help drive cloud and data centre capacity growth, a leading software testing vendor says more should be done to improve code security.

Blockchain open source software projects could do more to secure their code, according to research from CAST, the software intelligence vendor which provides solutions to companies including Fannie Mae, Sony, ING and airlines technology body SITA

CAST analysed 61 open source projects and nearly nine million lines of code. Popular open source projects reviewed included MongoDB, Ethereum, BitcoinJ, Apache Struts, Kubernetes Helm and Microsoft Orleans.

CAST said: “The prevalence of open source software in enterprise applications signals the need for greater software intelligence to prevent exploitation by hackers.”

Overall, said CAST, open source is 9% more secure, 10% more robust, but 7% less efficient than closed source apps. “This means there is likely a performance lag in open source software,” said CAST, and it found some particular issues with open source blockchain code.

Blockchain and cryptocurrencies of course are key driving forces for the cloud and data centre industries, as major cloud providers focus on supporting the technology and data centre hosting firms rapidly build out new capacity to support crypto mining.

While open source blockchain apps scored high on “robustness”, they are “not secure” or “efficient enough”, says the report, which looked at BitcoinJ, Ethereum and Solidity code.

The report said blockchain projects tend to violate critical changeability rules, which might be a concern in the long-term, as the technology spreads and needs to evolve at a faster pace, it said.

But when it comes to tranferability rules, both cloud/DevOps code and blockchain code are top of the heap, reaching nearly 100% compliance, said CAST.

On system-level compliance, analytics software code looked at was the best with 100% compliance, with blockchain code coming in at 98.5%, meaning that the code had 15 system-level violations out of 1,000 opportunities. Web and framework software code had the lowest system-level compliance scores, at 93.7% and 93.6%, respectively.

However, blockchain was failing on key security demands. CAST analysed Bitcoin, Ethereum and Solidity on Github, that manages wallets and lets users send and receive transactions. CAST found the software “seems to have some common weaknesses with security rules” that could lead the software to be hackable.

“It’s incredibly important for organisations to have visibility into the quality of open source software that supports business applications,” said Lev Lesokhin, EVP of strategy and analytics at CAST. “Software quality issues that prevail in open source components are more easily exploitable by hackers. This report looks to identify many of these software risks that may put organisations on the defensive.”