Improve your open source security in three important steps
Current estimates say that 70-90% of software uses open source. But how secure is open source? Open source packages are shared by developers worldwide. Therefore, using open source in your own applications means introducing third-party code into your projects. This can introduce security risks, and the more widely used an open source package is, the greater the impact a security vulnerability within can have.
A new research project from Snyk and the Linux Foundation focused on how organizations secure their open source packages. The project looked at how developers detect and manage risk. A thorough analysis of the collected data revealed some major missteps that organizations are taking when it comes to open source security. Here is three steps that organizations can take to correct these missteps and embark on a path to stronger security practices around open source.
1. Understand that dependencies bring complexity
The average project has 49 vulnerabilities spanning 79 direct dependencies.
Open-source security becomes a greater challenge as the software supply chain becomes more complex. Almost all modern applications are built with components that depend on other components, creating a supply chain that involves hundreds of components and multi-level dependencies.
The software supply chain is an attractive entry point for malicious actors, as they can take advantage of vulnerabilities in small, widely used libraries. Do you remember Log4Shell? This made all recorded incoming data vulnerable to RCE (remote code execution) attacks. It was a critical weakness inside a popular open source logging framework – a vulnerability inside a dependency.
Only 24% of organizations are confident in the security of their direct dependencies. And while 37% of organizations say dependencies are easy to track, those dependencies aren’t necessarily in a secure state.
2. Lay the groundwork with security policies
Only 49% of organizations have a security policy that explicitly addresses the development and use of open source packages.
This is understandable in small organizations, where resources are limited. Research also showed that 27% of medium and large companies do not have an established security policy in place. When you consider the amount of data each of these companies could process, 27% is an alarming statistic.
Every organization needs a CISO (Chief Information Security Officer) or a person or team with key security responsibilities. When the key features of the CISO are present and available, an open source security policy will follow. Actionable policies need to be put in place and communicated across all teams, starting with CISOs and developers, and moving throughout the organization.
3. Use the right tools
73% of organizations are looking for best practices to improve their software security.
Organizations should invest in a diverse set of tools to help them build more secure applications. In many cases, SCA (Software Composition Analysis) The tools can provide a huge advantage by allowing teams to find vulnerabilities in open source packages and learn how to fix them. Some organizations use other tools based on their security testing preferences.
SAST (Static Application Security Testing) tools, used in 35% of organizations, analyze source code, bytecode, and binary code to identify problematic coding patterns. Some organizations use an IaC (Infrastructure as Code) model to help developers write secure HashiCorp Terraform, AWS CloudFormation, Kubernetes, and Azure Resource Manager (ARM) configurations before going into production. IaC configurations embed security best practices directly into development workflows.
Each of these tooling options can help organizations take a big step toward prioritizing open source security.
The combined power of education, policies and tools
Using open source packages securely requires a new way of thinking about developer security that many organizations have yet to embrace. Knowing what risks exist in open source packages and understanding how to create protection against those risks can enable your organization to use open source technology effectively and safely. Finding the most effective tools and policies for open source security is a great place to start.
Watch our interview with Paul Down, Head of Sales at Intigriti.