As open source software continues to gain prominence, organizations around the world are beginning to realize that they need a new approach to security. The more popular and important open source software becomes, the more it will be targeted, and the greater the likelihood that any vulnerabilities will be exploited by cybercriminals.
Writing for TechTarget, industry expert Michael Cobb recently emphasized the need for best practices when it comes to open source software security.
Policies and governance
Among the most important aspects in any open source security plan is the implementation of an effective usage policy. Cobb recommended that IT security and development team managers consider limiting access to certain open source libraries. Specifically, he argued in favor of only permitting those personnel who have receive the required training and signed relevant agreements to utilize these these resources.
Without such policies in place, there is a significant risk that developers may take shortcuts when using open source libraries and packages without having read all of the relevant documentation. If this happens, the potential for a security breach increases significantly.
Additionally, Cobb noted that Google, one of the leading open source adopters, requires developers to abide by a coding and comment policy which enables employees to keep track of each others' efforts. This, the writer explained, is critical for ensuring security when thousands of developers have access to a single monolithic code tree. This practice helps to keep all employees accountable.
The use of a high-quality open source scanning and governance tool can prove crucial in this capacity. These resources can enforce access limits and other policy frameworks and also provide reliable insight as to precisely where and how open source code is being used within the organization at any given moment. This significantly boosts the organization's overall security, ensuring that no unauthorized usage takes place that could put the company at risk of a breach.
Another key best practice, according to Cobb, is to always treat any and all open source data and code with a healthy degree of skepticism.
"Application developers should never assume that data has been correctly validated, especially if functions developed in-house receive data passed by a third-party component," Cobb wrote. "The data may have been validated against a different set of requirements or rules."
The danger posed by an excessive amount of trust is most readily visible in the case of the Heartbleed vulnerability. The most significant security threat ever to strike the open source community was due primarily to the fact that everyone using the OpenSSL encryption library assumed that the software had been checked for security bugs, and yet no one actually took this step. This level of trust, while understandable, put countless organizations at risk.
Too frequently, companies adopt this approach to open source, essentially treating it the same way that they would commercial software. But whereas commercial software is produced by an known entity, the same is not true of open source solutions. And while there are organizations dedicated to ensuring the reliability of open source security, these efforts are simply not enough to guarantee the usability of any given solution.
The only reliable method for avoiding similar security issues in the future is to make sure that any and all open source code is thoroughly investigated by in-house employees to ensure that it meets security standards.
Finally, Cobb recommended that every firm leveraging open source software develop an emergency response plan. Such a backup strategy is essential in case hackers manage to take advantage of a newfound security vulnerability in an open source code before a new patch is released.
• Top tactics to reduce your open source security risk free webinar
• Eight considerations for managing OSS risks