A couple of months ago I wrote that open source has become the way we write software today and the implications that dynamic has on the world of security. This new development methodology requires a shift in how we secure our applications.
The reasons for the rapid grown of open source are clear:
- The community effect lends itself to innovation – the expertise pool in the ever-expanding open source community is orders of magnitude larger than a single development team.
- Using open source makes organizations more agile – they can leverage functionality from open source versus re-creating the wheel in house to solve the business problem at hand
- Acquisition of open source is easy and cost effective – since open source components are available on public repositories, they are easy to evaluate.
The use of open source is ubiquitous worldwide. In newer technologies such as Linux containers, the connected car, and the Internet of Things open source makes up the bulk of the solution. We also see huge amounts of open source used in commercial and enterprise-built applications.
The new approach to application security
The ascendance of open source has forced a change in the way we think about application security. Applications have become one of the most important fronts in the cyber security war.
The open source community is very fast in releasing security patches, but the responsibility to apply the patches and update the applications is with the development teams.
With thousands of new vulnerabilities found per year, keeping up to date is a daunting but absolutely vital task. We recently released a study of 200 commercial applications and found that 67 percent contained open source components with known vulnerabilities, and the average age of these vulnerabilities was more than five years. Yes, more than five years.
Making the world more secure one app at a time
At Black Duck we are committed to ensuring the use of open source remains strong by removing roadblocks to adoption, spread and use. We have found that regular reviews and ongoing monitoring of open source components for known security vulnerabilities is the best way to have the highest quality code, safe from known security issues.
To help ensure applications are free from these vulnerabilities, I am happy to introduce theBlack Duck Security Checker, a free, drag-and-drop tool for developers and security professionals to identify open source components in their code and find known security vulnerabilities.
Simply drag a file containing your artifacts into the browser and Black Duck will securely send you a report with a list of open source components and let you know if any of them contain vulnerabilities.
I’m excited and proud that Black Duck is offering users across the globe the opportunity to find out what they don’t know about the open source in their code – helping them know their code quickly and completely.
Ladies and gentlemen, START YOUR SCANNING!