Across the IT landscape, open source software (OSS) is pervasive and ubiquitous. From the cloud and web to data centers; from the desktop to mobile devices; and across a range of embedded and IoT applications, OSS commands an ever-increasing, often dominant, share of the system software stack and provides equally substantial swathes of enabling application middleware, applications themselves, and tooling. However, mitigating security risks from development, integration, distribution, and deployment of open source is no simple matter.
While the rapid adoption of open source demonstrably yields lower acquisition costs, faster time-to-market, and other touted benefits, the community development model presents developers, integrators, and end users with a set of accompanying challenges. Historically, foremost among these concerns stood license compliance and IP protection. Most recently, with multiple highly publicized threats to open source components, security has joined and often surpassed these legal issues.
To mitigate open source-related security risks, companies first need to understand the open source security paradigm, its advantages and also challenges to it. Looking outward at projects and communities, this understanding includes the ability to judge community dynamics and to gauge community security expertise and oversight of vulnerabilities. Looking inward, at OSS deployment in data centers, on the desktop and in devices, it’s key to understand your organization software supply chain, how and where you integrate and deploy OSS, and whether OSS components are up-to-date. Especially in customer-facing applications, component version deprecation and version proliferation can degrade application and system security by failing to take advantage of up-to-date components and security patches that address critical vulnerabilities.
For more information on open source software security and the fastest way for companies to begin monitoring open source use, mitigating security risks, and lowering response time to vulnerabilities, watch this on-demand webinar. You can also read this report on the top trends in AppSec.