We held a webinar last week discussing how static analysis and open source scanning play an important role in ensuring that code coming into your organization from a third party, such as a contractor, an open source repository, or an ISV, is free from security flaws and gaps in standards compliance.
Ensuring your own code meets requirements is a difficult enough challenge, ensuring the same for all code coming into your organization from the outside is almost insurmountable.
Our attendees were from a mix of small and large development companies with even a few researchers and academics in the crowd. They all had one interest in common: protecting their organizations from supplier risks. We always try to understand our attendees so here are some interesting results from one of the audience polls we conducted during the webinar:
What percentage of your code is free and open source software?
0 to 25% – 43%
26 to 50% – 43%
51 to 75% – 0%
More than 75% – 14%
This result presents an interesting contrast to the common belief that most applications contain more open source than custom or proprietary code. We can attribute this to the fact that many in our audience are from the embedded software development space, where open source use isn’t as common. Either way, using a large percentage of open source or not, it’s prudent to ensure you know where open source is being used and whether there are any security risks reported. You can learn how to do this at 34:30 in the webinar.
One question that came up from the audience, highlighting the concern that software security issues are a global problem, was this:
Is it possible to set a one-time global policy for all computer practioners to stop the whole process of system attacks?
This is a difficult question to answer, especially in light of the many different teams, environments, applications, and cultures all over the world. As Igor Gvero, Technical Product Manager for Klocwork, said, “I fear we may still be long ways from it. The future will hopefully prove us wrong and hopefully such policy will be established sooner rather than later.”
What the industry can do now is promote a sense of organizational ownership over software security. Ensuring that your own team and suppliers are delivering as secure code as possible will, over time, improve the overall security health of the software world.
And with that, here are two resources to help get you started: