One of the best ways for organisations to innovate at a faster pace is to use open source inside their technology stack. By harnessing open source, developers don’t have to waste time coding from scratch, but instead can tap into knowledge and resources from the vast global communities.
These clear benefits have fuelled open source adoption by enterprises the world over; according to research from Synopsys, open source code is a part of roughly 99% of commercial codebases. But it is not without risks, and security is one of the chief concerns when it comes to open source technologies. That same study from Synopsys also tells us that 75% of audited codebases contain open source components with at least one known vulnerability. Most of the time this is down to the use of out-of-date software that’s no longer maintained by the open source community.
This issue cannot be ignored. According to RiskSense’s recent study vulnerabilities doubled in open source tools in 2019. But these issues should not outweigh the immense benefits in innovation that open source offers. Enabling teams to work safely with open source should be a priority for organisations.
So how do businesses address open source security issues and continue to innovate at the same time?
Create clear lines of ownership
Within many companies , security and engineering teams share responsibility for security. That can make the issue of who “owns” open source security muddy. Clear lines of ownership must be established with any software set in use within a business to ensure that nothing slips through the net and accountability is clear.
Regardless of who finds a vulnerability – whether it’s a software engineer, internal pentester, a white hat hacker, or otherwise – it’s a moral imperative to fix these bugs quickly and share fixes publicly with everyone in the open source community. The more eyes on open source software, the better everyone is protected against potential security threats.
Dedicate time to management
Most active open source communities update software and regularly issue patches for known vulnerabilities. When major open source projects or external code a project depends on become outdated, communities “sunset the software” or end-of-life it and offer a new version.
However, if no one internally updates the software, that’s where the issues arise. Ownership is not just for project creation but also ongoing management.
The Equifax breach is a prime example. In 2017, Equifax confirmed that hackers exploited a vulnerability in open-source Apache Struts. A patch for the vulnerability was issued in March, and hackers exploited the bug to break into Equifax servers two months later.
Despite it being a known vulnerability people still did not manage their open source environments and patch as needed. In fact, further research from Sonatype shows some Fortune 100 organisations are still using struts, long after the breach.
Ongoing management is absolutely imperative and should include patch and vulnerability management as well as keeping up with end of life deadlines.
Simplify with automation
Time is precious, however, and resources are often limited. So there is a role for managed open source which can help resource-constrained teams stay on top of open source security. Most commercial open source software vendors offer automation and/or services that can help customers maintain their open source components, alleviating the pressure on internal teams to manage everything themselves.
Additionally, many code repositories also offer ways to automate security checks for open source components. For example, GitHub’s dependencies graph lets developers see all of the packages their software depends on, as well as any vulnerabilities detected within these dependencies. As of recently, developers can automate these patches.
And some leading-edge open source communities are taking the responsibility of security into their own hands by offering automatic security updates. Auto updates, for instance, are a major initiative recently announced by the Drupal community.
Don’t wait for security to become an issue
In a challenging economy it is more important than ever for organisations to be able to innovate. But they must be able to do so securely. Security has to be instilled in open source projects from the outset, and integrated into the development and deployment process.
Ultimately, to maxmise on the benefits of using open source, you must dedicate resources to finding and fixing bugs and, critically, share back to the community. Open source security thrives in an environment of radical transparency. If companies are transparent about the bugs they find and fix them in the open, the entire community wins.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.