Open Source is becoming increasingly vital in building modern applications, but it doesn’t come without risks. A recent Business Reporter breakfast briefing discussed ways to mitigate that risk.
Business technology is increasingly reliant on open-source software, which is typically released free of charge under a licence that allows users to modify and use it as they require. David Habusha, VP of product at WhiteSource, says that 80 per cent of the software in his customers’ libraries uses at least some open-source code.
There are numerous reasons for using open-source software, starting with speed and cost, and businesses also benefit from a community of developers who are regularly working to improve the software and fix bugs. However, as Mr Habusha told a Business Reporter Breakfast Briefing at London’s Goring Hotel, this software has to be handled differently from proprietary software.
Open source is part of the ecosystem
The very nature of open-source software means that it carries security risks. The fact that the developers who created it are not inside your organisation means that you cannot be sure that the code is written to your standards, or that it takes account of your particular risk profile and security needs. What’s more, malicious actors may add code to the software that allows them to access your systems.
But opting out isn’t feasible. One attendee from a major insurance company, emphasised that the modern ecosystem makes open-source software a necessity. Even if your firm were to decide to avoid open-source software, it’s likely that your third parties would use it, and their third parties, and so on. Where once companies might have written their most vital software themselves, cost and workforce constraints today make that unrealistic. And, given that there are plentiful open-source options for most use cases, it’s unnecessary.
Instead, what companies need to do is ensure they have processes in place to handle the extra risks. As with any risk assessment, this begins by determining what you most want to protect and who you are trying to protect it from. As Mr Habusha pointed out, some vulnerabilities in open-source software are not a risk to every company. For example, if the code you are using can be exploited to extract credit card numbers, but you don’t process credit-card information, then fixing the vulnerability will not be a priority for you.
Adding extra layers of control
With a thorough risk analysis in place, you can begin to establish specific processes, an attendee from a financial services firm pointed out. He added that these should include measures such as maintaining your software register, understanding the relevant licensing issues – which can often be idiosyncratic – and knowing which of your existing security tools will cover open-source threats.
Another attendee from a large law firm said that additional layers of control should be in place before developers use open-source software. He said that his firm asks developers why they are using the open-source software, whether it has any known risks, and whether there are alternatives.
What this means is that developers have to take on more of the security role, but this is no bad thing. Developers often outnumber security engineers by as much as 50 to one in an organisation, said Mr Habusha, and the rise of open-source technology means that security engineers will be unable to handle the load.
Open source is not going away
Open source represents a culture change that organisations must embrace if they are to harness its power without falling foul of the risks. But developers don’t have to take it on without help. There are tools available to check open-source code and warn of vulnerabilities.
It makes sense to employ those wherever possible, because developers can spend as much as 20 hours a month fixing security issues. The more that can be done to reduce that time with security tools, the more time they have to spend on more productive tasks.
Businesses would be wise to do that sooner rather than later, because the risks and complexities will only increase. One attendee said that the major risks on his company’s radar are automated hacking, the rise of the internet of things, and the ongoing increase in mobile applications. With increasing attacks from those who continue to hunt for new vulnerabilities, businesses cannot relax.
Meanwhile, customer expectations continue to grow, and companies will need to satisfy them despite constraints on costs and staffing. This makes the case for open-source even stronger. Attendees agreed that open-source security is something that companies need to take more seriously in future, and that tools to help them manage it would be welcome.
For more information, please visit whitesourcesoftware.com
