The current state of open source software (OSS) security may surprise you – with over 13 billion OSS component requests annually, a surprising 60% of organizations do not track security vulnerabilities in their code. This is a big reason why open source vulnerabilities such as Heartbleed and the recent PHP flaw affecting WordPress and Drupal sites are catching organizations unaware.
In our recent webinar, Top Tactics to Reduce Your Open Source Security Risk, we discussed our current open source security culture (or lack, thereof) and explained several ways in which organizations can reduce their risk of attack and liability. You can watch the recording here. Two methods we discussed are (you can fast forward to these times in the recording):
• Create an acquisition process (10:40) – know where your OSS is coming from
• Track open source usage (24:20) – know who is using OSS and how it’s being used
These and the other methods discussed built up a plan of attack for organizations to characterize their open source environment, educate their employees, and apply some discipline to better prevent security risks. We also explained how these methods help triage and solve open source issues in many other areas such as maintenance, technical support, license liability, and protecting intellectual property protection.
While the state of the industry is well known, we thought we’d learn a little more about our attendees. Here are the results of two polls we conducted:
Does your OSS policy include security elements?
Yes – 54%
No – 46%
How long did it take your organization to identify and remediate systems affected by Heartbleed?
More than one month – 8%
Approximately one week – 15%
Approximately one month – 31%
Not affected by Heartbleed – 46%
The first result reflects the industry trend of a large number of organizations not having an OSS security policy in place. They should be asking themselves two questions:
1) Do I know if I’m at risk right now?
2) Do I know what to do when a security threat occurs?
The second result just goes to show that even a simple flaw within a well-known, widely-used software package (not to mention, widely-tested!) can incur significant costs to fix.
All our webinar recipients were given this link to start protecting their organization by understanding their open source usage – the next step to developing a comprehensive and maintainable OSS policy: