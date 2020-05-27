The rapid pace of modern software development has allowed businesses to transform the way they run – yielding superior customer experiences, greater efficiencies, faster time to market and better cost optimisation. Software has enabled companies to disrupt their business environments by leveraging the agility and speed of change that only software can deliver. The companies that thrive today are those that realise that software innovation can drive agility, create differentiation and provide competitive advantages.

With software so predominant, the use of Open Source Software (OSS) has grown in popularity over the last few years. The enticement of OSS is undeniable, and the vibrant open source community has rallied, resulting in significant contributions to the open source movement. As a result, developers are increasingly turning to OSS to aid their organisation’s transformation.

By embracing OSS, companies realise major economic and productivity benefits, in addition to a positive impact on their bottom line. OSS enables organisations to move even faster by harnessing prefabricated building blocks to bootstrap the software development process and drive forward innovation.

OSS is easy to modify, enhance and integrate, offering a collaborative approach to open source communities. Organisations are using OSS as the architectural foundation for applications, operating systems, databases, development tools, cloud computing and big data. Some of the most popular OSS and associated platforms include Linux, Docker, .NET, Java, Eclipse, Apache, Maven, NodeJS, Drupal, GitHub and Chef.

The amount of open source code from external sources is steadily rising and developers have become heavily reliant on its use. Open source is an integral technology and business tool, requiring security be woven into the very fabric of the code. However, there are many application security challenges that need to be understood and addressed accordingly when using open source code. OSS security breaches may be rare, but when they are compromised it can create havoc. There is a real need to effectively identify, manage and mitigate vulnerabilities quickly. As companies continually adopt more and more OSS assets, there is a greater emphasis on how OSS software needs to be incorporated and managed to make code more secure.

Open source plays a pivotal role in the success and/or failure of software development teams. However, whilst the benefits of OSS are generally understood by the software developer community, the risks may not. It should be fully understood by developers that OSS is not immune to potential security risks. The core security risks in using OSS are like other types of software assets. All code comes with security risks and developers mustn’t put undue trust in OSS code. As companies use a greater amount of open source code, it introduces vulnerabilities that expose a company to risks and possible breaches.

The simple truth is that organisations are not effectively dealing with OSS security threats. Since OSS is in the public domain, hackers with malicious intentions have easy access to information. They can identify and exploit potential failings or loopholes within the software code more easily than in-house proprietary software. Furthermore, developers may inadvertently use defective components which may go undetected and get into production environments.

Applications using OSS are a primary target for cybercriminals because once exploits are developed for OSS vulnerabilities, they can be used to attack a large number of companies. New vulnerabilities are constantly being identified in OSS, and many open source projects have no clear processes or mechanisms in place for finding and fixing them. One main issue with the use of OSS – perhaps due to the inherent global nature of it – is the lack of standardised “security” documentation. Other issues include the use of legacy code due to compatibility, compliance and resource constraints.

Traditionally, development and security teams have worked in silos, disconnected from each other. Companies today need to ensure that they develop stronger protection initiatives that integrates security into their existing release methodologies. Weaving and integrating security into the development process for both the developer community (who design, write, test and release code) and security practioners (who deploy, monitor and identify for vulnerabilities and threats in production) is paramount to successful OSS implementation and management.

Security needs to be a key component for OSS and integrated in fast paced Agile / DevOps workflow environments. Security teams need to be able to quickly and effectively respond to application security breaches and prioritise and remediate in real-time. New innovative and automated approaches to implement and manage OSS are required – automated solutions that quickly and effectively identify, mitigate and remediate open source vulnerabilities.

The value of OSS is undeniable. OSS offers organisations greater flexibility and cost savings. However, it needs to be understood that no software is completely bullet proof and OSS shares the same inherent risks as traditional software. As the pace for open source adoption continues to increase, it is critical to actively pursue, manage and remediate vulnerabilities within the entire codebase quickly and effectively. Proper management and inventory control need to be encouraged and outlined clearly to both developers and security personnel alike. This way, organisations can get ahead of the curve and secure their prized assets.