At first glance, 2014 may not seem like a good year for open source, especially in the realm of security. After all, the past 12 months saw two of the most devastating open source-related security breaches of all time in the form of Heartbleed and Shellshock. Yet despite these notable exceptions, open source software advanced significantly in 2014, becoming both more widespread and more secure on the whole.
With 2015 around the corner, this trajectory is likely to continue. However, security remains a key issue, which will make open source scanning and governance solutions essential in the coming year.
The obvious choice
One of the most noteworthy trends on the horizon is the growing accessibility of open source solutions. Small Biz Trends contributor Curt Finch recently asserted that open source software “is changing the face of the information age” as it enters the mainstream more fully. Most importantly, this is making open source software a viable option for small to mid-sized businesses that would otherwise not be able to afford enterprise-level tools.
Just as importantly, Finch argued that many of the concerns observers harbor about open source security are unfounded, thanks to the simple fact that a large number of people will look at any given piece of code, inspecting its reliability.
Combined, these factors suggest that virtually every company will soon be at least somewhat reliant on open source software, according to Finch. This will open up even more possibilities, but it will also put more pressure on firms to fully secure and protect their open source assets.
“Unfortunately, many organizations’ current efforts and policies do not fully address the issue of open source security requirements.”
Unfortunately, many organizations’ current efforts and policies do not fully address the issue of open source security requirements, thereby putting themselves at risk.
Writing for Dark Reading, Matt Little recently pointed specifically to the issue of encryption. He argued that encryption can serve an invaluable role in open source security efforts. However, most organizations do not have the means or expertise necessary to effectively apply encryption to their code resources. Instead, he emphasized the importance of seeking out expertise when aiming to utilize encryption for open source security.
Additionally, Little noted that testing is an essential part of information security.
“Any individuals or organizations that take information security seriously should do their own pen testing on an application before they add it to their arsenal,” the security expert wrote. “For enterprise customers, there are a number of providers that can provide product security assessments, including white box and black box testing, architecture design assessments and even threat modeling.”
This is especially true because, unlike propriety code, open source software will not have dedicated security teams looking for vulnerabilities or flaws, CIO contributor Paul Rubens explained. The author asserted that even though proprietary code is more likely to contain defects, these issues will often be found more quickly. This makes best practices and high-quality tools essential for firms leveraging open source software.
For example, Rubens noted that static analysis tools can help significantly in this capacity, as they allow developers to identify otherwise-unnoticed bugs. However, this is only the case with high-quality solutions – less effective offerings may produce too many false positives, which can frustrate developers and eventually lead them to stop using these tools altogether. High-end solutions enable users to avoid such an outcome.
Businesses should also look for sophisticated open source scanning, governance and support tools. Firms can use these resources to determine precisely how open source tools are being used throughout the organization. Considering the projected rapid expansion of open source use in 2015, it will be more difficult, and more important, than ever before to keep close track of where open source solutions are being deployed. These tools can provide that insight, leading to much better security efforts.