Information Security Forum explores the risks and challenges of open source software
According to the Information Security Forum (ISF), trusted resource for executives and board members on cybersecurity and risk management, open source software (OSS) is emerging as a core part of IT infrastructure and applications, largely due to the growing popularity of agile development methodologies and DevOps practices. With a substantial number of commercial and custom-made applications incorporating OSS, it cannot, and should not, be ignored.
In an effort to support global organizations, the ISF announces the release of Deploying Open Source Software: Challenges and Rewards, helping security professionals recognize the benefits and perceived challenges of using OSS and set up a program of protective measures to effectively manage OSS, which is often seen as being insecure and unsupported, says the release. "As these negative connotations continue to taint its reputation, some organizations officially prohibit it, even though they may unknowingly be using OSS. Others enthusiastically adopt OSS, harnessing its advantages, such as aiding flexible and rapid development. The latest paper from the ISF demonstrates that OSS can be a positive influence on software development, if used and managed responsibly," says the release.
“Many organizations are adopting agile and DevOps methodologies, which is driving an increased uptake of OSS and, in turn, the creation of new mixed source applications,” said Paul Holland, Principal Research Analyst, ISF. “The growing prevalence of OSS needs to be balanced by a concerted effort to manage its use appropriately and effectively. For some organizations, the first step is to realize that the myths surrounding OSS are simply illusions. For other organizations, the appeal of OSS and mixed source software is already apparent, allowing them to develop new applications securely and increase speed to market for new ideas.”
With OSS becoming commonplace within organizations, it brings a different set of risks and perceived challenges compared to closed source (proprietary) software, notes the release, and going forward, establishing the difference between the myth and the reality will be critical to securing OSS. "As it becomes the mainstay within application development and infrastructure, security professionals will need to understand OSS and manage the challenges associated with its components. Fixes to these security challenges should be implemented as part of an OSS management program, led by a senior individual appointed to the role of OSS Program Manager. Integrating all these measures into a single, overarching program will enable a holistic and coordinated approach to managing the risks of OSS," says ISF.
According to ISF, the OSS Program Manager should be supported with the necessary funds and resources to develop a viable program and team. While in some instances, existing tools for closed source software can be extended to secure and manage OSS, the program team may need to procure additional tools to further enhance OSS security. The team should also monitor threat intelligence feeds for mentions of OSS components that the organization is using.
“Resisting the move to OSS could limit an organization’s ability to progress and evolve. If harnessed effectively, OSS can potentially be an accelerator for the business,” continued Holland. “Fostering an OSS management program is therefore vital to securing and managing OSS, allowing the organization to use it safely. Combining this with established practice around the management of closed source software will deliver a coherent, all-encompassing software management program, providing the best opportunity for success.”
With many traditionally closed source software vendors adopting OSS principles, OSS is here to stay, notes ISF. The flexibility of both open and mixed source software could lead to a decline in closed source software, resulting in a fundamental shift in software management, licensing and security, and organizations must be prepared, says the release.
Wei Lien Dang, Co-Founder and Chief Strategy Officer at StackRox, a Mountain View, Calif.-based leader in security for containers and Kubernetes, says, "If an organization is running open source software and uses a central IT model, there should be operators, or someone responsible for IT operations in general, that is responsible for patch maintenance and ensuring that upgrades are made. This could also be handled by someone on the development or DevOps team. While open source software is often a cost conscious choice, that doesn’t mean that it’s not without overhead. This comes in the form of experience and/or training to ensure that OSS code is patched and secured. This is one of the reasons why organizations go with commercial software or a cloud managed service. In those cases, it's the responsibility of the software or cloud provider to make patches available. You get the added benefit of a level of outsourced support and upkeep."
"When you are focused on building and shipping software, there are benefits of using open source software," he says. "However, organizations need to be careful that they understand how to deal with vulnerabilities and licensing issues that could create exposures. Software development practices, regardless of the methodology, that borrow from open source need to account for product security. It's not unique to DevOps - if you overlook the OSS patching process, you can easily put your organization at risk. There are two core considerations when using OSS in software development - that you have the right tooling in place to ensure protection and the right processes in place to manage patches. You need to have a way of discovering vulnerabilities, license issues and other risks associated with using OSS. The methodology, Agile, DevOps or otherwise, shouldn't make a difference. If you choose to use OSS you need to understand the security risks and implications of doing so and be prepared to deal with it appropriately."
Thomas Hatch, CTO and Co-Founder at SaltStack, a Lehi, Utah-based provider of intelligent IT automation software, notes that the duties of IT workers vary greatly from organization to organization, but a large number of organizations have very few IT resources that are focused on patching. "Modern IT professionals spend much more time managing high-level APIs and UIs - they need to deal with a large group of systems and services and are not as focused on the system and OSS management as they were 10 years ago. The ability to take massive amounts of free, untested, unvalidated, and not necessarily secured software off the shelf, has created a liability deeply embedded in areas that make heavy use of open-source software," says Hatch.
Deploying Open Source Software: Challenges and Rewards is available now to ISF Member companies via the ISF website.