Open source security has become a hot topic in recent months. The reasons why are obvious: Heartbleed and, more recently, Shellshock. These two major open source vulnerabilities revealed that a huge number of organizations and individuals were potentially at risk, as savvy cybercriminals and hackers could potentially gain access to user's information or even take control of their systems by exploiting these flaws.
In some extreme cases, industry observers have used these incidents to argue that open source security is inherently less secure than proprietary software. Most industry experts, though, believe that such fears are overwrought. However, there is widespread agreement that these vulnerabilities highlight the need for a renewed focus on security wherever and whenever open source software is in use.
Part of the reason for this strong reaction in the wake of the vulnerability revelations is that many industry participants had become increasingly confident and uncritical in regard to open source. Bloomberg News contributors Chris Strohm and Jordan Robertson recently declared that recent high-profile hacking attacks involving Heartbleed and Shellshock "have shaken the free-software movement that once symbolized the Web's idealism."
The source reported that some cybersecurity experts see these incidents as eye-openers, forcing companies to realize they became unduly lax in their efforts to vet the open source software within their organizations.
"It's going to be a wake-up call for a lot of people to understand why we aren't auditing this software better," said Greg Martin, founder and chief technology officer of Threat Stream Inc., the source reported. "Everybody's been scratching their heads and saying, 'How could we miss this?'"
Put simply, these vulnerabilities were missed because everyone assumed that others were taking the necessary precautions to verify the security of their open source software. As a result, few companies took these steps themselves.
This problem is compounded by the fact that open source vulnerabilities exist beyond Heartbleed and Shellshock. One of the biggest issues that companies must grapple with as they utilize open source is how widespread vulnerabilities may be.
Recently, Veracode conducted an analysis of 5,000 enterprise applications that were both hosted on its platform and showed signs of potential open source vulnerabilities, FCW reported. Ultimately, the organization determined that these open source third-party components introduced 24 vulnerabilities into each web application on average.
The problem, according to Veracode, is that these types of offerings typically receive less rigorous testing and oversight than customized solutions. And, as noted before, most firms do not go on to vet the applications themselves before using them for their own purposes.
Securing open source
With all that being said, it may seem like the ideal response would be to forsake open source software altogether. However, this is simply not a viable option. Open source has become essentially ubiquitous among organizations in every industry, and its prominence is likely to grow. Abandoning open source would make it impossible for many companies to function, let alone compete in their markets.
All of this goes to show that companies need to embrace better standards and strategies for ensuring that the open source software they use is both reliable and accounted for. To this end, the right tools are essential.
Notably, organizations should consider embracing open source scanning and governance solutions. These assets can help users to identify exactly where and how open source code is being used throughout the company's code base, and provide support to help the IT team find and correct potential vulnerabilities in these areas. This means that firms can embrace open source software with a greatly reduced risk of vulnerabilities or other problems emerging.