Basic rules for managing open source software
Organizations that use open source software do not necessarily expose themselves to greater security risk, but the key to a successful and secure open source software implementation is a thorough management strategy.
Open source software makes up the majority of enterprise applications, and for most organizations it is much safer to use an open source module that has been approved by a larger community than to develop similar functionality in-house.
Open source vulnerabilities receive well-deserved attention when they occur, but the most common risk is that open source is configured or used in an insecure manner.
“Open-source OpenSSL is one of the most widely used and trusted encryption tools in the world, but its security means nothing if developers leave their private keys in the repository,” says Casey Bisson, Product Manager for BluBracket.
Open Source and Accelerating Productivity
He explains that in general, properly managed open source is less risky, and that for developers who are rewarded for “working smarter, not harder”, open source is the best way to accelerate productivity. .
“A successful open source software security management strategy recognizes that open source is a critical and critical driver of team speed,” says Bisson. “It’s also critical to understand that human approaches to security are unlikely to meet the challenge and use automation to complement accordingly.”
More importantly, an open source software security management strategy must support developer speed while improving security by building security into automated CI/CD processes rather than trying to conform developer processes to safety.
Bisson explains that the productivity gains of open source can cause companies to under-provision their broader software development process.
From his point of view, automated CI/CD – with automated code analysis – is more important than ever. Automated permission monitoring and enforcement can also be helpful.
“The last thing a developer wants is to find security risks in their work after they build it,” he says. “Integrating automated security reviews earlier in the workflow gives developers faster feedback so they can make fixes before something becomes a security issue.”
Importance of transitive dependencies
Miclain Keffeler, application security consultant at nVisium, notes that a crucial element of any open source software security management strategy is transitive dependencies.
Many development teams have a definite list of open source software they will use because they have verified it, but the dependencies used by those dependencies are often overlooked. Beyond that, when security vulnerabilities arise in these transitive dependencies, they must be updated to fix them, but the dependencies that use them must also be updated.
“This creates a supply chain issue, where it often takes longer for these patches to reach a wider audience depending on how quickly they bring changes,” he says. “It can take a very long time if the software is undermanaged.”
Keffeler points to another common tool for open source security management called Renovate Bot. It automatically opens pull requests to make updates to the project or library it’s connected to, so you can stay on the latest secure version of that dependency.
Additionally, simple tools like OWASP Dependency Track help identify and mitigate risk in the software supply chain, informing teams of any transitive dependencies in use and how they can mitigate that risk in the future. .
Software composition analysis tools can also help protect against risks from incoming open source components, but supply chain security is not limited to the software components in use.
BluBracket’s Bisson explains that this includes securing the workflow to prevent accidental or intentional tampering.
Supply chain security
Automated enforcement of git access and configuration best practices, such as branch protection rules and requiring signed commits, is critical to supply chain security.
“Ultimately, the supply chain doesn’t stop until the code is in production, so access to source code is another attack vector,” he says. “Making sure developers have access to all the repositories they need is critical, but too many companies fail to end access when people leave the company or change teams.”
Keffeler echoes Bisson’s comments that supply chain security plays a critical role in managing open source software. “Open source software is already essential in many companies,” he says. “This increase in supply chain attacks is a direct result of companies ignoring this element because it is not their responsibility.”
He adds that when it comes to open source software, there is a collective responsibility that must be shared. “If we all use it, we have to take ownership of the guarantee of its safety,” he says. “The nature of open source tells us that anyone can handle it. If we can figure out how to make it work, we can all reduce the risk these attacks pose.”
What to read next:
Seismic shifts in software development still need hardware
5 reasons why open source is essential to become cloud native
What IT managers need to know about open source software