In the past year, we’ve seen two distinct, powerful trends occurring in the realm of open source software. First, the positive: Open source solutions have never been so popular or widely accepted. Organizations and individuals that were previously hugely skeptical of this approach have come on board fully, recognizing the massive benefits that open source solutions can deliver across the board.
Unfortunately, the other overarching open source trend of 2014 was not nearly as encouraging: the rise of open source vulnerabilities with wide-ranging consequences.
In all likelihood, we expect 2015 to continue both of these trends. But with the right practices and the right tools – such as open source scanning and governance applications – organization leaders will be able to leverage open source more broadly without putting themselves or their customers and clients at risk.
Signs of expansion
Arguably one of the strongest signs we’ve seen of the growing influence that open source is bound to have in 2015, and the fears that many hold regarding its security, came in the form of a new piece of proposed legislation.
“The law would have required vendors to inform their potential federal clients of every piece of open source code embedded in their software.”
Introduced in the House of Representatives in December, the Cyber Supply Chain Management and Transparency Act of 2014 would have required vendors to inform their potential federal clients of every piece of open source code embedded in their software and also prove that there were no cybersecurity issues associated with these offerings.
This bill was set aside when Congress recessed for the year and is not an immediate priority for the new 114th Congress. However, this proposal is still extremely significant, as it exemplifies both of the trends we highlighted above. Federal lawmakers have now explicitly addressed the growing use of open source software by IT vendors – and therefore the increasing presence of open source solutions among federal infrastructure. Furthermore, this legislation clearly highlighted the cybersecurity worries that many bear in regard to open source solutions.
Such fears are relatively understandable. After all, 2014 saw the discovery of both Heartbleed and Shellshock – two of the most significant open source software vulnerabilities ever found. Even more importantly, these flaws received widespread media attention, ensuring that even non-IT professionals – such as members of Congress – became aware of the issues involved.
That’s not to say that this legislation was well-considered. As Trey Hodgkins, senior vice president for public sector at the IT Alliance for Public Sector, told Government Technology, the bill was somewhat “draconian” and ignored the fact that companies already have a compelling reason to ensure the safety and security of their open source software.
The key takeaway is that open source software has now fully entered the mainstream, and has shown no signs of slowing. Organizations that depend upon these resources either directly or indirectly – a group that has expanded to include wide swaths of both the public and private sector – realize they need to take steps to protect themselves from potential security vulnerabilities.
Knowledge is power
The question, then, is how businesses can go about achieving this goal. The near-ubiquity of open source technology makes simple avoidance an impractical solution. Besides, refusing to utilize open source in any capacity would severely undermine a firm’s IT capabilities.
“For an organization to leverage open source safely, it needs to known exactly where and how these resources are being used.”
Again, the Cyber Supply Chain Management and Transparency Act of 2014 is instructive in this regard. Even if the specifics were unwieldy or unreasonable, the bill was correct in its understanding of the importance of awareness in order to ensure security. For an organization to leverage open source safely, it needs to known exactly where and how these resources are being used.
This may seem fairly straightforward, but it’s actually a complicated issue. Because open source now serves as such a foundational tool for a wide variety of software projects, it is difficult to keep track of all of these instances. The only real way to do so is by utilizing resources dedicated specifically to this purpose.
That’s where OpenLogic’s open source scanning and governance tools enter the picture. These assets will clearly and comprehensively identify open source usage throughout the organization, allowing IT leaders to take the appropriate steps to improve security and address flaws or other vulnerabilities immediately.
Whether or not organizations agree with the bill, Congress’s focus on open source software was understandable, and many companies could learn from this failed legislation and its implications for the open source world as a whole.
• Watch this free webinar to learn top tactics to reduce your open source security risk
• Read this free white paper to learn steps you can take to mitigate open source security vulnerabilities in your organization