Open Source Security Issues Exist: Deal With Them, Report Urges

Published 29 - June - 2020
Read the full article on Linux Insider

Open Source Software is becoming much more commonplace within organizations, bringing a different set of risks and perceived challenges compared to closed source or proprietary software.

The Information Security Forum (ISF) have released a report to help security professionals recognize the benefits and perceived challenges of using Open Source Software.

“Deploying Open Source Software: Challenges and Rewards,” which the IFS calls a briefing document, focuses on setting up a program of protective measures to effectively manage OSS deployment.

One of its goals is to detail the difference between the myths and the realities surrounding open source use. That understanding is critical to securing open source components in mixed code applications, according to ISF.

Open Source Software is emerging as a core part of IT infrastructure and applications. This status is due largely to the growing popularity of agile development methodologies and DevOps practices, according to ISF. With a substantial number of commercial and custom-made applications incorporating OSS, it cannot and should not be ignored.

As OSS becomes the mainstay within application development and infrastructure, security professionals will need to understand OSS and manage the challenges associated with its components. Fixes to these security challenges should be implemented as part of an OSS management program, led by a senior individual appointed to the role of OSS Program Manager, urges the organization.

Integrating all of these measures into a single, overarching program will enable a holistic and coordinated approach to managing the risks of OSS, said Paul Holland, Principal Research Analyst, at ISF. That is an essential need to make sure security remains intact.

“Many organizations are adopting agile and DevOps methodologies, which is driving an increased uptake of OSS and, in turn, the creation of new mixed source applications,” said Holland.

Far-Reaching Goals

The ISF guide on deploying open-source software pulls together a quick study for IT workers and other open-source users in enterprise. It provides useful approaches for how organizations can effectively manage the challenges of using OSS, and why they need to do it.

The guide also talks about how to maximize the benefits and reap the rewards of using open-source software. In a way, this how-to guide from ISF is an attempt to close the software barn door before more of the malware horses get in.

Closed source software has been a staple of organizational IT applications and infrastructure. But many well-established and popular software programs are actually open source. So, organizations need to recognize that OSS may already exist within their own environment. It often is used in combination with closed source software, creating what is termed ‘mixed source software’.

Mixed source software can be derived from any number of combinations of OSS components. The possibilities include closed source software, purchased code, and internal code. Developers can then integrate these components together to create a customized mixed source software application.

The security risks of using OSS within IT infrastructure and applications bring core challenges that must be minimized, the guide cautions. That task is made more complex if organizations have limited awareness of the OSS components in use. These include complex licensing and intellectual property obligations, a shortage of relevant OSS skills, and the absence of security in DevOps practices.

Balance Needed

A concerted effort to manage the use of OSS appropriately and effectively is needed. The growing prevalence of OSS needs to be balanced, urged Holland. For some organizations, the first step is to realize that the myths surrounding OSS are simply illusions.

For other organizations, the appeal of OSS and mixed source software is already apparent. This allows them to develop new applications securely and increase speed to market for new ideas, he explained.

OSS is often seen as being insecure and unsupported. As these negative connotations continue to taint its reputation, some organizations officially prohibit it, even though they may unknowingly be using OSS.

Others enthusiastically adopt OSS, harnessing its advantages, such as aiding flexible and rapid development. OSS can be a positive influence on software development. But that can only happen if it is used and managed responsibly, according to the ISF’s latest guide.

Support Is Essential

The guide recommends supporting the organization’s OSS program manager with the necessary funds and resources to develop a viable program and team. While in some instances, existing tools for closed source software can be extended to secure and manage OSS.

Other integration cases require the program team to procure additional tools to further enhance OSS security. The team should also monitor threat intelligence feeds for mentions of OSS components that the organization is using, according to the ISF guide.

“Resisting the move to OSS could limit an organization’s ability to progress and evolve. If harnessed effectively, OSS can potentially be an accelerator for the business,” said Holland. “Fostering an OSS management program is, therefore, vital to securing and managing OSS, allowing the organization to use it safely.”

Preparation Required

Combining open source’s dynamics with established practices around the management of closed source software will deliver a coherent, all-encompassing software management program. The result will provide the best opportunity for success, Holland added.

Many traditionally closed source software vendors are adopting OSS principles. That means OSS is here to stay, declared the ISF.

The flexibility of both open and mixed source software could lead to a decline in closed source software. In turn, that could cause a fundamental shift in software management, licensing, and security.

Open Source Security Issues Exist: Deal With Them, Report Urges
Read the full article on Linux Insider