Subscribe

Breaking it down to build it up

While there are many issues and aspects related to open source security, in the end, it all comes down to three basic goals.
Roan Linde
By Roan Linde, Automation and AppSec lead at CA Southern Africa.
Johannesburg, 23 Aug 2021

According to IDC, every company is a software company, with competitiveness depending on the speed at which businesses can transform and embrace new tools and technologies. In the case of high-performing organisations, that means open source software is now a 'when’, not an 'if', prospect.

Today's commercial environment requires organisations to intensify the pace and scope of their digital transformation initiatives to remain competitive. When confronted with a business landscape in which competitors leverage digital solutions to solve business problems, organisations from all industry verticals are transforming themselves into software companies.

IDC notes that in enhancing capabilities to develop digital solutions, companies seek to demonstrate greater agility, speed and intelligence regarding their ability to respond to customer needs and evolving market dynamics. This uptake of software and digital solutions involves recognition of the changing nature of software and particularly the increased importance of open source technologies.

Rapid adoption of DevOps − which IDC defines as practices that promote agile, continuous application code delivery; automated self-service infrastructure delivery; and close collaboration across development, line-of-business and IT operations roles − is a key attribute of highly innovative software organisations.

IDC’s annual survey of software developers, DevOps professionals, IT decision-makers and line of business executives from around the world delivers a wealth of findings about contemporary developers and the state of software development.

For example, it observes that the roles and responsibilities of developers continue to expand. The survey results show that developers are not only the architects and visionaries of digital transformation, but also have end-to-end line of sight into the processes that govern the manufacturing of digital solutions.

Moreover, it highlights that this finding underscores the importance of developers to both technology suppliers and buyers, because developers have insights into how the operational efficiency of development processes can be improved.

A complete inventory of open source code is a good starting point for securing the enterprise.

Increased awareness of security and compliance challenges related to software and data has intensified interest in the decentralised quality of open source software development and its ability to promote transparency − as well as security − and compliance-related innovation.

It is necessary to establish deep visibility into open source and other code through sharing accountability between security and development groups. Understanding your application inventory is critical. Research shows that only half of all organisations maintain inventories of components and subcomponents.

Moreover, an equal percentage recognises the need to update components even when vulnerabilities are made public.

The upshot of this is that a complete inventory of open source code is a good starting point for securing the enterprise. Today, the management of open source code extends beyond development teams. Best practice methodologies dictate that protection from a shared perspective is a better approach, with communication and collaboration being essential elements if one is to prioritise risks − as well as remediations.

Creating a concise, focused open source security policy

It's a lot easier to address security risks when everyone is marching in the same direction. Organisations benefit when benchmarks and metrics are introduced which establish a set of priorities for remediation and put processes and workflows in place to support this framework.

The right tools, such as software composition analysis, can help establish blacklists for high-risk versions of open source code.

Managing technical debt: It's important to have policies and procedures in place so that teams stay ahead of attackers. Open source libraries and code are constantly updated, patched and fixed; nevertheless, it is vital to consistently monitor and make changes as new open source updates take place.

Establish security champions: The ability to understand the business and development needs of the organisation, along with the security required to protect its assets, can go a long way toward strengthening protection. What's more, establishing a security champion on the development team can aid in translating and disseminating technical data and ensuring the company is effectively addressing vulnerabilities in open source code and libraries.

Test code early and often: More than anything, it's critical to test open source code at all stages of development and deployment. Continuous monitoring through static and dynamic testing can find vulnerabilities and errors that may otherwise go undetected. In some cases, they may not be apparent unless a company uses specific business logic.

Research shows that 48% of developers who scan code early and often, fix 48% more flaws than those who don't perform this screening exercise.

Although there are many issues and aspects related to open source security, in the end, it all comes down to three basic goals, namely:

  • Identifying and cataloguing all open source and commercial code.
  • Putting tools and processes in place to identify vulnerabilities.
  • Using specialised tools to address risks and problems.

Static scanning of first- and third-party code, alongside dynamic analysis, can accomplish these tasks. They establish a robust framework for managing code and using automation to identify vulnerabilities based on a 'fix first' paradigm that expedites compliancy timeframes while providing remediation guidance and best practice education.

An organisation that adopts this approach is far better equipped to use open source to maximum advantage and with minimum risk. 

Share