Despite patches, continue to monitor vulnerabilities in open source code and software


Is open source more secure than proprietary?

Many people believe that open source is safer than proprietary software. This is because open source components can be reviewed by a large number of independent users, and the philosophy of collaboration and transparency should inevitably lead to more secure code.

In reality, some very important codes are barely reviewed. For example, Apache Log4j open source code that puts hundreds of millions of devices at risk due to a remote code execution vulnerability was reviewed by only a handful of volunteers.

In fact, open source code often has critical vulnerabilities, which worries many agencies that create or rely on products that use open source.

There are big differences between internal code and open source code. When your developers write code internally, they follow your rules; logic is planned and changes and fixes are standardized.

Open source, on the other hand, is distributed among community members who write and maintain the projects. It often follows a looser set of rules, which makes it harder to assess code security.

With open source, it’s up to you to stay on top of any reported vulnerabilities. This means being alerted to new vulnerabilities in the source code you embed in your own applications, as well as in the source code contained in the commercial products you use, and taking prompt action to fix or update.

LEARN MORE: Learn how to better protect against threats and reduce risk and technical debt.

How to best monitor open source

There are three steps to keeping open source secure: knowing where it’s being used, finding which components have vulnerabilities, and patching or updating quickly.

The first is difficult, because many organizations don’t have a complete list of what’s running on their systems. Additionally, vendors often fail to disclose that their commercial products use open source – and many off-the-shelf commercial products have vulnerabilities in their open source components. A recent study showed that 85% of evaluated browser, email, file sharing, online meeting, and messaging products had at least one critical vulnerability.

Once you have determined which commercial products are running on your system, use either an application security scanning and testing product or a Software Composition Analysis (SCA) tool such as Snyk or Sonatype Nexus to identify open source components. Once critical vulnerabilities are found, most can be fixed with a review or patch.

Developers are often pressed for time to deliver, so they may take open source code from repositories without checking for known vulnerabilities. Before downloading open source software, check if there is evidence that it has been securely developed and maintained (commits and recent versions), and that it has a governance model and a substantial number of users. Check if the open source project has won a OpenSSF best practices badgewhich increases the likelihood that the software will be developed and maintained securely.


Comments are closed.