By many standards, open source software is bigger than ever: a recent White Source Software study found that 23 percent of programs contain open source code with known vulnerabilities in it. Furthermore, that study found that more than 80 percent of projects use open source software components. The range of open source options available means that software development is increasingly a process of combining disparate pieces. And that process can involve risk from a software security standpoint, as developers may not always be aware of who is responsible for building the components they're using.
Using open source safely
Given its ubiquity, developers can hardly abandon open source tools. Instead, they might want to consider best practices such as using open source components that have been digitally signed and maintaining a list of all open source tools used in a project that is regularly checked for updates. Additionally, developers are advised to build on a secure platform and to leverage collaborative code review tools where they can discuss and rate the risk of individual components.
Recent months have seen a push to standardize some of the software security best practices in the open source world, from researchers advocating for better bug disclosure policies in open source tools to the emergence of broad-based bug bounty programs. However, the most important underlying check for developers is to confirm the security of their entire project meets their standards. Using approaches like static analysis software and open source scanning, teams can quickly inspect blocks of code used in assembling programs and catch potential errors before they are released into the wild. As scrutiny over open source components continues, such approaches will be essential for security success.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.