|Don't Neglect Open Source Security|
|Written by Limor Leah Wainstein|
|Monday, 18 June 2018|
In today's fast paced and competitive development environment, we are increasingly making use of open source components to avoid constantly recoding standard features. This introduces security concerns and here we look at some useful resources to understand the potential problems in order to tackle them.
Modern enterprises that develop software are fast-paced environments in which development teams increasingly follow the principles of Agile development outlined in the Agile manifesto. The intention of the collaborative and iterative nature of Agile development is to release high-quality software quickly and frequently in what is a competitive landscape.
Instead of building applications from scratch every time, development teams are making more use of open source components, which can speed up development times and allow software developers to focus on proprietary features that give organizations a competitive edge. Many open source libraries and frameworks can prove useful when building apps, and it makes sense for developers to use these components rather than re-inventing the wheel for entire apps.
However, it is imperative not to neglect open source security when using these components. The importance of open source security is highlighted when you consider the statistic that 29.8 percent of open source web apps scanned in a recent study contained vulnerabilities. Getting on top of open source security requires a proactive approach on the part of organizations and development teams. With this in mind, take a look at these five important open source security resources to help expand your knowledge of open source security.
SANS Institute: Security Concerns in Using Open Source Software for Enterprise Requirements
This helpful white paper on open source security was written by the SANS Institute, which is a specialist information security and cybersecurity training company. The document begins with an important introduction to security in open source software before overviewing some guidelines for deploying open source software in an enterprise environment, such as drawing up a well-documented security policy and downloading open source components only from trusted sites.The paper concludes by answering the question of whether open-source software and components are really enterprise-ready, reinforcing the importance of thoroughly evaluating any open source components before they are adopted into development projects for proprietary software.
WhiteSource: Open Source Security
WhiteSource is an open source security and license compliance management platform, and the company has a useful page dedicated to open source security on its website. This resource begins by highlighting the importance of open source security with a reminder of the 2017 Equifax breach wherein the personal details of over 145 million people were compromised. The Equifax incident occurred due to the company neglecting to update its version of Apache Struts, a popular web application framework which contained a vulnerability.
The WhiteSource page then briefly discusses the challenges of open source security before highlighting important steps to mitigate security problems, such as scanning open source components for vulnerabilities and remediating those vulnerabilities. This resource concludes by driving home the importance of automation in terms of any open source security solution. Without automation, it is very difficult to manage open source security at scale.
CSO: Open Source Software Security Challenges Persist
This featured article by security news information provider CSO is an excellent resource for IT decision makers. The article begins by recognizing why open source components are so helpful as enterprises move to agile methodologies. There’s also a helpful section that recognizes some security advantages of open source components, including the ability to fix issues quickly and the fact that many open source projects have large groups of contributors maintaining those projects.
The section on why open source security poses a threat is particularly good because it highlights some striking statistics about open source software from several reports, such as the fact that open source components are now present in 96 percent of commercial applications and 67 percent of applications use components with known vulnerabilities. The article proposes increased due diligence and better vulnerability detection as key strategies for enterprises using open source software components.
ZDNet: Six Open Source Security Myths Debunked
An interesting article written by senior TechRepublic reporter Nick Heath talks about several myths that often pervade any discussion on open source software. Among the most pertinent of those myths is the fact that open source software is no more or less secure than proprietary software. Nick also mentions some of the main challenges of open source security such as applying patches on time and the importance of auditing the supply chain for code. Improved supply chain management is vital in any development environment sourcing open source projects for integration with proprietary apps.
Hong Kong Special Administrative Region: Open Source Security
The government of the Hong Kong Special Administrative Region has released a 12-page document on open source security. In this resource, you’ll find an authoritative discussion on open source security and some best practices for effectively managing open source software usage.The paper concludes with an eight-step guide to using open source products safely in the organization.
Open source projects are extremely beneficial to development teams in helping them keep up with the fast pace of modern software development. Organizations have the duty to ensure their software development teams use open source components in a responsible way and to minimize the risks of serious vulnerabilities in commercial apps as a result of using open source software.
These five resources give enough information to developers and decision-makers for improved open source security.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Tuesday, 19 June 2018 )|