IT has always been the forefront of innovation and disruption. But just a few years ago, not many would have predicted that Open Source software would have the tectonic and omnipresent impact that it does today. Pervasive use of open source within organizations has created new challenges for the teams chartered with ensuring enterprises are both secure and compliant.
Back in the day InfoSec (Information Security), the umbrella organization that develops and enforces the rules and guidelines related to IT security, controlled everything from determining what software users interacted with to where data centers were established and what hardware/software supported the enterprise. Now with applications from open source and SaaS taking center stage, InfoSec has spawned AppSec (Application Security) teams that focus on software design and programming.
Managing and enforcing application security policy in a closed environment was tough enough, but now it’s a whole new world. Today, user’s control more of their IT destiny – from deciding which apps to use (including SaaS), to bypassing IT altogether and standing up their own application and computing environments via public cloud providers. Hence, as IT environments have evolved to being more open (and arguably better and more productive for users and organizations), the InfoSec and AppSec jobs have become very complex.
Open Source Software
Open source is source code that is freely available to its users. Users have the ability to take this source code, modify it, and distribute their own versions of the code. An entire industry has grown up around providing support, maintenance, training, applications, middleware, etc. for supporting open source. Forecasters predict the services portion of the open source market will reach $32.5 billion by 2025. In a big nod to the importance and influence of open source, IBM recently acquired open source leader Red Hat in a deal valued at $34 billion.
Who is using all that open source code? Likely, you are. Plus, everyone else in your organization. According to the latest Black Duck report, open source components are now present in 96 percent of commercial applications. The average application had 147 different open source components — and 67 percent of the applications used components with known vulnerabilities.
Is Open Source Safe, Secure and Legal?
Given how prevalent open source is today, AppSec must be vigilant in monitoring and maintaining the application and source code landscape of their enterprises. There is a certain school of thought that believes open source code is self-policing because so many developers review, use and distribute open source code. The argument is that open source is more defect (bug) free and that its licenses are vetted by many different organizations to ensure that everything is ‘legal’. While there may be some element of truth to this, the aforementioned number of vulnerabilities discovered by Black Duck undermines this argument. To monitor and secure open source, AppSec has to rely on both free and commercial automated tools.
Any open source code considered for use by an enterprise should be thoroughly evaluated for vulnerabilities. A good place to start is the Common Vulnerability Enumeration list and the National Vulnerability Database, both sponsored by the US Government. In 2017, more than 8,000 new vulnerabilities were added to the CVE list. Beyond that, there are a number of commercial tools available. Vendors like Snyk, Black Duck (now part of Synopsys), and Veracode all specialize in a portfolio of products for automated vulnerability and compliance checking. These tools are not always 100 percent correct, but the fact that you can automate the process saves literally hundreds of people hours.
As to the question is your open source legal to use, well, that is a topic that requires extensive discussion and is well beyond this scope of this blog. Questions abound that need to be answered including: how is your open source code licensed? Is there a permissive license in place that guarantees the freedoms to use, modify, and redistribute the code and permits proprietary derivative works.? Is there a copyleft license in place so you can distribute or use modified version of the code? Your organization’s legal team should be a great resource and partner in this area and there are also many excellent resources on the web including opensource.org and opensourcecms.
Open source promises to be present in every internally developed and externally acquired software application. Through vigilant policy development and enforcement, along with automated vulnerability tools and proper licensing, AppSec teams can ensure their organizations are benefiting from open source software without exposing their organization to undo risks. Understanding, evaluating and using the vast array for commercial tools for vulnerability and compliance checking along with a clear understanding of licensing and distribution options will help keep organizations productive and safe.