The continuous influx of open source software (OSS) into a company’s IT department is a huge benefit to both vendors and users in many ways. In the former case, being able to use open source components means removing a lot of duplicate work. For example, you don’t have to design every part of your IoT sensor or surveillance product from scratch, and vendors can adopt well-understood components. , A well-supported open source library for network stacks, and sensing and data analysis capabilities that make its products stand out from the competition.
One of the main benefits for end users, at least in theory, is the increased security that is part of the normal marketing of open source software. The idea here is that the open nature of software and the fact that anyone can see it to discover and fix security flaws are generally safer than proprietary equivalent software. Means
But that’s only partially true, according to Gartner’s vice president of research, Mark Driver, who opens the software by allowing bad guys to add something to important code. He said there was a contradictory idea that he could counter it.
“The reality is somewhere between the two. In reality, OSS is as secure as proprietary software,” he said. “It all depends on how the project runs.”
The theory that open source software is secure is perfectly fine, but in reality it all depends on how aggressive and proficient a particular set of contributors is working on a particular project. .. Dimitrios Pavlakis, senior analyst for IoT and cybersecurity at ABI Research, said there is sometimes a discrepancy between the open source project team’s bug-finding efforts and the villain’s thorough screening of the same code. I am.
“The open source community is a hobby of duck hunting,” he said. “But attackers are doing this to make a living.”
Therefore, it is important for companies that use software with open source components to dig deeper into how well these components are actually supported. Some open source projects are not professionally supported. That is, the people who maintain the project (if they maintain the project at all) are working in their spare time.
Also, even if those projects are actively maintained, there is no guarantee that the vendors using the code in commercial software will patch them in a timely manner.
“The most common problem with open source software is poor management of open source assets,” says Driver. Security issues may be fixed by the open source team, but not the code of the product that incorporates them. “People download and use it, but never go back and check. [for patches],” He said.
So what should responsible companies do about potential open source vulnerabilities in the software stack? Some of the solutions are technology. Software that can automatically analyze a specific stack for open source components and cross-reference with known CVEs can be a great help to companies looking to protect themselves. Vendors such as Checkmarx, Vericode, and Whitesource offer this type of product, commonly referred to as Software Configuration Analysis (SCA).
However, it is also important to note that SCA software is not a complete solution, according to IDC Head of Research Jim Mercer. Because some open source software is only partially used, vulnerabilities in unused parts of a project or library can continue to be detected by automated SCA tools, causing false positives.
“SCA tools prioritize based on how CVE was initially prioritized, but not all of them understand how to use the software,” he said. “You have to see it yourself.”
Therefore, another, and perhaps more important, part of enterprise solutions is contracts. Familiar with the difficulty of manual static analysis of complex software stacks and the in-house engineers may not be able to fix problems with open source software.
This means that service-level agreements that place full responsibility for security analysis and problem-solving on vendors could be the best tool available to businesses to avoid potential problems with open source software. Means
“The solution is to establish an SLA that supports the value of whatever the business process is,” says Driver. “If it’s business-critical, the SLA needs to be solid.”
Copyright © 2021 IDG Communications, Inc.
Open Source: Get an SLA that protects your network apps with open source components
Source link Open Source: Get an SLA that protects your network apps with open source components