5 steps to better open source code security

It's an open source world. Black Duck and Northbridge’s recent 2016 Future of Open Source Survey found that 78 per cent of the over 1300 respondent companies said they run open source software.

The number is likely much higher. Black Duck finds open source software (OSS) in over 95 per cent of the applications we analyse for clients. It’s easy to understand why. Open source adds needed functionality while lowering development costs and accelerating time to market.

But securing and managing open source code still remains a challenge for many organisations. And with use increasing, open source vulnerabilities are also on the rise. Since 2014 alone, the National Vulnerability Database (NVD) has reported over 6,000 new vulnerabilities in open source software.

There are a variety of available tools for scanning proprietary code to identify and mitigate vulnerabilities, but often left out of the equation is the need to take the same measures for open source code. Complicating matters is that many tools used for scanning proprietary code do not detect security vulnerabilities in open source. Our survey also found that few companies have effective policies and procedures in place to manage open source. Here are a few examples:

  • More than 55 per cent of our respondents said their company has no formal policy or procedure for open source use. Only 27 per cent have a formal policy for employee contributions to OSS projects.
  • Just 16 per cent have an automated code approval process and less than 42 per cent maintain an inventory of open source components.
  • More than 50 per cent are not satisfied with their ability to understand known security vulnerabilities in open-source components, and only 17 per cent have plans to monitor open source code for security vulnerabilities.

If your company is on the wrong side of those numbers this probably already sounds familiar to you: each time a new open source vulnerability is reported you’re going through the same fire drill; a race to find which of your apps are at risk, locating the use of the offending open source code, and implementing a fix before someone can exploit the vulnerability. What's worse, it's very likely you’ll go through this same exercise the next time a new vulnerability comes to light.

It’s important to note that the open source community is classically very quick to respond to discoveries of open source vulnerabilities and, in most cases, a fix is released the same day as the vulnerability details are published. The issue isn’t open source vulnerabilities. The issue is to ensure your organisation has timely and continual insight into the open source code you’re using in order to keep it up-to-date and secure as vulnerabilities are discovered.

To fully capitalise on the value of open source software it’s essential to manage the risks associated with its use. Here are five key steps you can take:

  1. Identify the open source code your company already has in use. Before you can begin remediating vulnerabilities, you have to gather in and maintain a list of what components you have in use and where. Automated code scanning tools that produce a software BoM or “Bill of Materials” – a listing of open source components and versions contained in an application – are the best approach for organisations seeking a thorough evaluation of their code bases.
  2. Understand the impacts of OSS licenses: “Security,” when it comes to open source, can be more than identifying and remediating vulnerabilities. Companies also need to determine what licenses apply to the open source they have in use so that they can evaluate what licensing obligations have come with their use of open source code.It’s common practice in merger and acquisition deals for lawyers to advise clients to run a scan of the target company’s codebase to understand code integrity, identify any applicable open source licenses and surface any security vulnerabilities. Even if you’re on the sell side of a transaction or strategic deal, you need to anticipate those questions from buyers in order to avoid surprises.
  3. Implement automated OSS management practices: If you don’t know what open source you have in use, you can’t effectively manage the risks. But cumbersome processes requiring hours of review and lengthy turnaround times will create frustration, and developers will find ways to work around them. Streamlining and automating OSS management practices as much as possible removes many road blocks to integrating open source projects into your applications and provides greater visibility into what you’re using.
  4. Discover known vulnerabilities present in your open source code. There are resources, like the U.S. Government’s National Vulnerability Database (NVD), that track and publically report on security vulnerabilities for all types of software. Yet, more comprehensive and timely notifications can be provided through automated tools from sources like the NVD and VulnDB, which can map vulnerabilities against the code your company is using.
  5. Monitor for new vulnerabilities. Continuous, automated scans of applications under development can identify open source entering the code base and ensure that vulnerabilities aren’t being unknowingly introduced along with it. By monitoring for newly disclosed vulnerabilities and having the ability to immediately assess their impact across your code base will help your company’s security, compliance, and development teams gain peace of mind knowing they are actively managing security threats.

The bottom line is that you can’t reap the benefits of open source usage without also managing the potential risks of security and license compliance.

Visibility, identification, and tracking, coupled with solid management policies, can provide an effective solution for securely managing your open source code.

Mike Pittenger, Vice President of Product Strategy at Black Duck Software

Image source: Shutterstock/Imilian