The role the channel can play in managing open source security

With the growing popularity of wearables providing determined hackers with yet another means of accessing the sensitive information they desire, this year will see a need for security to extend beyond the perimeter as these hackers continue to find ways into IT infrastructure through alternative, less prioritised routes.

Over the past year or so, the effects of Heartbleed, Shellshock, Ghost and Poodle have demonstrated how “known vulnerabilities” in software code are dangerous enemies that can lurk within an organisation’s infrastructure. These vulnerabilities are effectively ticking time bombs that need to be identified and defused as early on in the development process as possible.

That said, few people would suggest limiting the use of open source code by developers, given the time-to-market, development cost savings, and efficiency advantages it offers. But, to safely capitalise on its benefits, security teams will need to have visibility into, and control of, the open source used by their organisation.

According to the 2015 Future of Open Source Survey, 78 per cent of enterprise companies run at least part of their operations on open source software, and two-thirds (66 per cent) reported using open source code in building their customer software.

But, despite its ubiquity, most organisations are unaware of what open source code they’re using, where it’s located in their code base, or whether it has any known security vulnerabilities. To complicate matters further, software developers and security professionals hold different opinions and preconceived notions around whether open source software is more or less secure than closed-source, or proprietary, alternatives.

And, with communication among security, software development, and software build teams hampered somewhat by a tendency to work in silos during the development process, it’s little surprise that opportunities can be missed in identifying and avoiding open source-related security vulnerabilities.

However, with an automated and reliable means of locating and dynamically monitoring all open source code, and identifying all known security vulnerabilities, organisations will be in a better position to create remediation plans and mitigate overall risk.

Lack or processes and policies

The Future of Open Source Survey also revealed that, even though its use continues to grow rapidly, companies lack formal policies for the selection and management of open source code.

More than half of the survey’s respondents claimed to be dissatisfied with their ability to assess the security of their open source use, with only 17 per cent actively monitoring for open source security vulnerabilities. Furthermore, over half (55 per cent) of the respondents admitted they had no formal policy or procedure in place to monitor and manage their open source use – the potential implications of which are significant.

And only 16 per cent of organisations said they employed a process in which the management of open source code was automated from the point it entered the organisation, throughout the development process, and across the wider supply chain, thus providing them with the visibility and control they need to secure their software assets.

It’s clear from these figures alone that businesses are facing considerable risks from the increasing use of open source and the current lack of management around it.

At the same time though, the situation represents opportunities for a range of application security vendors in the near future.

The channel as consultant

One area which will be able to capitalise on the situation is the channel, which can take on an increasingly consultative role, educating businesses about this ever-changing threat landscape and the security solutions they need to spot, stop and manage these code-based vulnerabilities.

Resellers, for example, whose portfolio of application-security products complement those of open source security vendors, are one of three main types of partners that can benefit from innovative open source security technologies.

The second of these are managed service providers looking to deepen engagement with their customers by using a vendor’s products to secure and manage open source software.

The third are vendors’ audit partners who may purchase software from a vendor to be used as part of their customer engagements, as they carry out audits of an organisation’s open source code quality and encryption.

And beyond these more practical examples, partners involved in advisory services will also derive benefit from open source application security products and the intelligence they can offer.

Specialist legal firms, for example, can be much better informed when advising their clients on open source licensing, while systems integrators and consultants will be able to provide more expert counsel on application development or open source governance.

Making the most of the opportunity

By taking advantage of the wealth of open source code available, an organisation’s software developers have a tremendous opportunity to improve productivity, save time, and reduce costs. But to make the most of this opportunity, security teams will need an automated means of identifying open source code to ensure that any known vulnerabilities are quickly identified and isolated.

Channel partners have an important role in raising awareness of open source security challenges, and in highlighting the need to secure businesses from the code up.

Kevin Bland, Director, Channel and Alliances - EMEA, Black Duck Software

Image Credit: Shutterstock/Imilian