Open-source software is everywhere today – it runs the systems in every part of our lives. Approximately 85 per cent of modern apps are built using open-source software, as the codes can be freely accessed, used, adapted and shared by anyone in the public domain. More companies are jumping on the bandwagon as they discover the advantages of open-source solutions have over their proprietary counterparts – from cost and time savings to higher quality support.
But open-source is not without its disadvantages – one that is commonly discussed is the security vulnerabilities that come with adopting an open-source model. In a 2019 vulnerability management survey report by cybersecurity company, Tripwire, it found a staggering one in four organisations globally were breached in 2019. As the threat continues to grow, the lack of security in open-source communities may become a significant deterrent for developers. The problem lies in the fact that such software is often not subject to the same level of checks as those that are custom-built, and the community does not always understand the potential security risks that may be critical for an organisation.
However, I believe that the gains from using open-source software far outweigh any uncertainty it poses, especially if we take precautionary measures to ensure that we are not opening ourselves up to unwanted guests. Which leads us to an important question: How do we identify software security flaws and patch them up in time to minimise the adverse impact it could have on our business?
At Intelematics, we adopt open-source software solutions, and they have made a positive impact on the speed and agility of the company. For us to continue to reap the benefits of doing so in the long run, we also make a conscious effort to ensure that there are no security breaches across all fronts. Based on my experience of being at the front line of security, here are some recommendations that might help you keep up with open-source software programs in today’s rapidly evolving threat landscape.
Tackling vulnerabilities starts with awareness
When it comes to open-source software, the old phrase ‘what you don’t know won’t hurt you’ could not be further from the truth. The reality is that taking the time to identify existing and potential vulnerabilities is a crucial first step in boosting open source security. If you opt to use open source software components, the onus is on you to be aware of and eliminate all vulnerabilities.
The process of locating software vulnerabilities is a complex one requiring extensive man-hours and resources, and it is a challenge to be completely thorough. Fortunately, there are modern tools that can provide greater visibility into open-source software vulnerabilities in an efficient manner. Taking Intelematics as an example, we utilise Snyk to check for vulnerabilities in our codes and identify the fixes required to minimise risks.
Without question, there are various modern tools out there that can be applied to different business settings and use cases, and it will take time to find one that suits your specific needs. Still, once you get through the hurdle, the vulnerability management process becomes easier.
Staying up to date and apply security patches promptly
In 2017, consumer reporting agency Equifax reported a major cybersecurity incident which led to the theft of 145.9 million personally identifiable information. As tragic as the incident was, it was later found, it could have been avoided if the open-source software had been updated on time. Although a patch for the vulnerability was available a few months before the attack, Equifax failed to update the software at the time and criminals were, unfortunately, able to gain access to its confidential files.
The Equifax breach, known as one of the most massive data hacks in history, reinforced the importance of always staying up to date with new software versions to ensure that fixes are made available to you once launched. Not patching known open source vulnerabilities places companies at significant risk and the damaging effects could potentially trickle down to customers as well.
While there is a risk that the proposed code changes do not fix the vulnerability, an additional benefit of utilising open-source software is the diverse and highly motivated community that provides high-quality support when needed. Harnessing the skills of the community as a whole, you will likely land on a solution sooner than you think!
Automating processes to enhance security
To take your security to the next level, you can also consider investing in automated solutions that continuously monitor all software for vulnerabilities and remedy them swiftly. Doing so also allows businesses to stay on top of updates coming from the open-source community as automated tools compare applications against the latest information.
With vulnerability scanning implemented to the CI/CD pipeline, you will be in a better position to ensure that the applications developed are more reliable and secure while minimising disruptions to the team’s overall efficiency. However, if employees are not ready for automated security pipelines, keep it on hold and focus efforts on scanning for vulnerabilities locally.
Although protecting an organisation’s software security is crucial, it is also necessary to bear in mind that each new step added to the pipeline needs to be accepted by all involved stakeholders. Disrupting the build to address a vulnerability can frustrate developers, especially when it fails and does not add value.
However, with proper risk management measures in place, open-source software solutions backed by its highly active and aware community can quickly help an organisation scale its tech capabilities.