Not all that long ago, open source was viewed with skepticism and suspicion by IT professionals. While many saw the value that open source could deliver, others doubted its long-term viability or security. As we’ve seen over the past few years, though, these fears are largely falling by the wayside as organizations open up their code to the community.
Opening up code is one thing, however, for this trend to continue unabated without any negative impact, companies need to carefully consider how they pursue open source. Specifically, firms need to embrace open source security tools, such as our scanning and governance resources, to fully ensure that IT leaders are completely aware of where and how open source is being deployed throughout the organization. Here’s why.
“Open source is like other IT services: It can be secure, as long as it is approached appropriately.”
Open source for cybersecurity
First and foremost, it is important that we establish that open source is a lot like other IT services: It can absolutely be secure, as long as it is approached appropriately.
To highlight both the value and potential security of open source solutions, consider the recent announcement that the U.S. Army released a piece of open source code to help other government organizations combat cyberattackers. The Army has used this program, known as Dshell, for nearly five years as it investigated successful cyberattacks aimed at the Department of Defense. As William Glodek, Network Security branch chief for the U.S. Army Research Laboratory, explained, Dshell serves as a framework for developers to create their own customized analysis modules, based on cybersecurity compromises they’ve examined. This flexibility means that Dshell will likely prove useful to both federal agencies beyond the armed services and private sector firms, he stated.
“Outside of government there are a wide variety of cyberthreats that are similar to what we face here at ARL,” said Glodek. “Dshell can help facilitate the transition of knowledge and understanding to our partners in academia and industry who face the same problems.”
Keeping open source safe
In many ways, this release highlights many of the best, most powerful aspects of open source in general. Glodek emphasized the Army’s desire to work collaboratively with other DOD agencies and partners outside the government to develop stronger, more resilient code. This demonstrates the ways that open source communities are able to produce optimized software. Also, the simple fact that the U.S. Army feels comfortable releasing, utilizing and working collectively on a piece of open source software demonstrates its trustworthiness.
But it’s also key to remember that open source can prove problematic when companies take a hands-off approach. Just look at Heartbleed, Shellshock and now Ghost – all of these represent vulnerabilities in widely used software systems.
The biggest issue is not that open source solutions may be flawed, but rather that company leaders often do not know which open source tools they have deployed throughout their organizations. When this is the case, decision-makers are unable to respond quickly and effectively to any security issues that may arise.
That’s why open source scanning and governance solutions are so imperative. These tools allow a company to quickly and easily identify where, when and how open source is being used. This type of insight vastly improves the quality of any given company’s cybersecurity, allowing the business to take full advantage of open source tools with minimal risk.
Going forward with open source
To further illustrate why companies are increasingly turning to open source solutions, ReadWrite contributor Matt Asay recently highlighted several of the biggest advantages of open sourcing their own code. While the advantages of using already-available open source code are relatively straightforward, firms opening up their own code for external use may seem less intuitive.
“Open sourcing code can make it even stronger, as outsiders offer their own contributions.”
As Asay pointed out, though, open sourcing code can make it even stronger, as outsiders offer their own contributions. This effect, known as a force multiplier, will help make the organization more productive and efficient.
Furthermore, Asay emphasized that talented software developers will be impressed by your company’s open source contributions, making them more inclined to seek out employment with your firm. In this sense, embracing open source fully can be a powerful recruitment tool.