DTX Manchester DTX Manchester
  • About Us
Wednesday, 20 January, 2021
IT Security Guru
CTX Manchester 2020 banner ad
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Ignoring Open Source Components is Making Security Software Insecure

by The Gurus
January 5, 2017
in This Week's Gurus
Share on FacebookShare on Twitter

A recent Software Vulnerability Report revealed that of the 46 products appearing in the list of top 20 products with the most vulnerabilities during August – October in 2016, 11 were security-related products from vendors such as AlienVault, IBM, McAfee, Palo Alto and Splunk.
Many of the vulnerabilities in these security products are actually vulnerabilities discovered in open source, or third-party components embedded within them.  This highlights how important it is that software producers understand the third-party components used in their products and the associated vulnerabilities.
It is unthinkable today that any software development team would not incorporate open source or third-party components into the product they help build.  In fact, the average software product is made up of at least 50 percent open source technology.  The ability of open source to expand a developer’s productivity has allowed the industry to create products containing large amounts of functionality, but also has created a situation where the security of the product depends on a long and complex software supply chain.
Even though their technology depends heavily on open source software (OSS), most organisations are not properly tracking and monitoring their use of these components.  Data shows that most organisations have difficultly producing a Bill of Materials (BOM), or list of the open source they are using.  Even during a Merger & Acquisition (M&A) – when a company is expected to provide as much information as possible – most organisations are unable to disclose even a single open source project they depend on.  For many companies who have some components on their list, this list is still a small fraction of the true list of dependencies.  Research shows that a company’s true list is typically on average 20 times larger than their current disclosure.
Pretty much every open source component is governed by a license, with obligations that a company must follow if they are distributing a product containing that component.  These obligations typically include passing along the text of the license, copyright statements, and in some cases the source code of the component or complete product.  Again, most organisations are not providing the content as required by the open source licenses.
 How does this happen?
Developers are under intense pressure to build software products and release them on a tight schedule.  Tracking and managing their use of open source has not been a part of most organisation’s heritage and has been ignored until it causes a serious high-visibility issue.  Many people who find themselves managing a software team did not have access to the same amount of open source when they were learning to be developers.  Senior management is also unaware of the compliance and security requirements of using open source software, so do not require compliance or OSS management.  Often, it takes an outside event such as a hack, M&A activity, compliance request or OSS disclosure requirement from a customer to kick-start the process.
What can happen when you don’t manage your use of open source?
The two most common issues encountered by companies who do not properly manage their use of open source are being out of compliance with the licenses they use, and finding themselves at risk due to untracked vulnerabilities in the open source they are using.
The first issue often leads to the second.  If a company does not know what open source it depends on, it is impossible to comply with the licenses as required.  It also means that any current or future security vulnerabilities discovered in those software components are not handled.  It is very common for OSS components to have new vulnerabilities discovered after they are first shipped.  These vulnerabilities can sit silently in a shipping product until taken advantage of by attackers.  This is especially important to track if your organisation is involved with security or networking.
How to start managing your use of open source?
The first element of an open source management programme is education.  The basics of compliance and OSS management need to be taught at all levels of the organisation, not just at the developer level.  Senior management must be made aware of the compliance requirements, as well as the need to periodically update shipping products in order to upgrade vulnerable open source components.  If these requirements are not planned for and budgeted, they will not ever get done.  In many companies, a small team of subject-matter experts across many disciplines at the company come together to form an Open Source Review Board (OSRB).  This team often includes technical, legal, IT and management.  The OSRB will help set policies, respond to compliance and security events and provide training and knowledge to the rest of the company pertaining to open source.  The group can be ad hoc or more tightly structured depending on the maturity and size of a company.
These policies can then be implemented by the development teams.  First to comply with all the open source licenses they are using, as well as create a process to discover vulnerable components and release upgrades as needed.  Software Composition Analysis (SCA) tools exist to help discover and manage the OSS that is being used.  These tools can also help automate the process of vulnerability alerting.
What does successful management look like?
After a company enacts policy, educates its employees and rolls out a SCA management solution, it will be able to display some of the hallmarks of OSS compliance and management.  These include creating a BOM for each software release, following the license obligations as required and creating updates to shipping products when vulnerabilities are discovered.  By setting up these processes and following OSS best practices, companies are able to successfully comply with community expectations and reduce their exposure to OSS-related vulnerabilities.

0 0 vote
Article Rating
FacebookTweetLinkedIn
ShareTweetShare
Previous Post

“Fear factor” drove UK adoption of cyber insurance up 50% in 2016 following series of high profile breaches

Next Post

The BC/DR Impact of GDPR

Subscribe
Notify of
guest
guest
1 Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Convertri sales funnel video page editor
Convertri sales funnel video page editor
October 23, 2019 7:01 pm

It is really a great and useful piece of information. I am happy that you shared this useful info with us.
Please stay us up to date like this. Thank you for sharing.

0

Recent News

View from the back of an aeroplane aisle.

Airline Passenger Data Stolen by Hackers

January 20, 2021
iPhone X/11, open Mail application with empty inbox. To the left of the phone is a green plant.

Emails exposed to SolarWinds Hackers

January 20, 2021
Money signs

Covid-19 and Brexit result in 70% of UK financial firms suffering cyber-attacks

January 20, 2021
Camera lense

1.4 million Pixlr user records shared on hacker forum

January 20, 2021

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

More information
wpDiscuz
1
0
Would love your thoughts, please comment.x
()
x
| Reply
Privacy Settings / PENDINGGDPR Compliance

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Accept