Logo Header Menu

What to know about open source security

Many companies have a preference towards open source technology, so what should be kept in mind in regards to ensuring its security? What to know about open source security image

Like any area of tech, open source needs its own security measures to thrive without a hitch.

A major benefit that organisations gain from using open source tech is that it’s freely available and not distributed from a particular proprietor.

The ‘open source’ aspect refers to the code, and can be found within databases, applications and operating systems, among other software. This code can be changed to suit the needs of the business.

However, being available from the public domain, this realm will have its own potential vulnerabilities that hackers could exploit.

The fight to keep open source truly “open” ⁠— open source providers need to stand up

The creator of Jenkins X and the Apache Groovy language, James Strachan—distinguished engineer at CloudBees—discusses the importance of open source providers in keeping open source, open. Read here

Open source applications, for all their arrays of use cases, can be compromised if those responsible for their security aren’t on top of any possible vulnerabilities.

Ben Griffin, director at Computer Disposals Ltd, explained: “Because the code used by open source projects is freely viewable, hackers can take advantage of organisations that are slow to patch their applications.

“Updating applications as soon as possible is imperative. Additionally, an inventory that tracks open source usage across teams helps with regards to visibility and transparency, as well as ensuring that different teams don’t use different versions of the same component.

“Similarly, technical employees should be careful not to copy and paste code from open source libraries, as this leaves the software susceptible to later vulnerabilities. It’s a good idea to create an open source policy that specifically forbids copying and pasting such code from other projects.”

Keep eyes on your supply chain

Companies should also be sure to keep the security of their supply chain in mind when dealing with open source tech, and not agree to use any software without carefully examining what it entails.

“The best thing to do when it comes to sharing open source code is to control your open source supply chain,” said Stefano Maffulli, senior director of digital marketing and community at Scality. “Do the ‘due diligence’ on the packages shipped, reduce dependencies as much as possible and automatically keep track of them in your CI toolchain.

“You want to avoid getting into situations like those we’ve seen recently where popular libraries were hijacked by criminals and modified to ship malware, like the “right9ctrl” fiasco in the fall of 2018, or completely removed from distribution as a political act of protest, such as the Chef scandal in the fall of 2019.”

Understanding the viability of blockchain in supply chain management

There’s a lot of hype around blockchain in supply chain management; can it help enterprises escape their siloed insights and enable them to take a more integrated and holistic approach? Read here

Establish a disaster recovery strategy

In some ways, observing the security of open source tech is similar to securing software distributed by a proprietor.

One of these ways is that a plan is needed for when the software is under threat.

“Alongside fixing and upgrading the code for open source software users, and encouraging developers to regularly monitor for patch updates, a solid business continuity and disaster recovery (BCDR) strategy is an effective solution for resolving any risks tied to open source software that threaten the availability of systems and data,” said Ryan Weeks, chief information security office at Datto.

“Being able to keep systems running and to quickly recover from an attack helps businesses avoid costly downtime caused by those security risks, including everything from ransomware, crypto jacking, and spyware to trojan horses, worms, and rootkits.”

Research who’s using the software

A good indicator of what open source tech is worth using within the company is which other firms are using it.

Does your vendor run security checks on their products?

Don’t let them get away with it. New survey data has revealed 23% of organisations have shipped products with known security vulnerabilities to beat competition. Read here

“Organisations should use open source software that has been adopted/embraced by large vendors,” said Lior Ben Naon, chief solution architect at Skybox Security. “For example, at organisational networks, we see Red Hat Linux servers significantly more than we see Ubuntu or CentOS distributions.

“It is due to extended support mechanism of Red Hat, and the ownership they are taking upon their Linux code base. So in this example, it starts with open source code, but being adopted by a major vendor helps improve the security level, and allow better patching process, among others.”

Personal information in APIs

Companies should be wary of any personal information that may be present within application programming interfaces (APIs).

Vice president, global marketing at SIOS Technology, Frank Jablonski, said: “The security risks of open APIs are not limited to hackers and malware. Open data and codes can lead to data sharing among applications.

“The amount of personal information attained by open APIs can undoubtedly be shared with third-parties. This is evident in Facebook’s vow to better secure personal information.

“APIs can read all your data or they read the data from another application that you have. Security features for open APIs, such as API gateways, should provide users with the utmost protection.”

Sign up for Information Age Newsletters

Latest news

divider
Releases & Updates
European countries most at risk of cyber crime revealed

European countries most at risk of cyber crime revealed

20 February 2020 / Specops‘ study on cyber crime, which analysed the percentage of cloud attacks on Azure alongside [...]

divider
Cybersecurity
Cyber security low in priorities for digital initiatives, according to EY survey

Cyber security low in priorities for digital initiatives, according to EY survey

19 February 2020 / In the latest EY Global Information Security Survey (GISS), only 36% of respondents said that [...]

divider
AI & Machine Learning
MEPs to discuss AI initiatives in the EU

MEPs to discuss AI initiatives in the EU

19 February 2020 / The upcoming EU whitepaper on AI to be discussed at the European Parliament headquarters in [...]

divider
Business & Strategy
Disconnect between IT and business is bad news for customer experience

Disconnect between IT and business is bad news for customer experience

19 February 2020 / IT, business and customer experience are functions that should go hand-in-hand. However, organisations must improve [...]

divider
Cybersecurity
BlackBerry Cylance highlights the scope of global attack surface expansion

BlackBerry Cylance highlights the scope of global attack surface expansion

19 February 2020 / BlackBerry has today released its annual 2020 threat report, which examines the scope of global [...]

divider
Releases & Updates
75% of credential abuse attacks on financial services targeted APIs

75% of credential abuse attacks on financial services targeted APIs

19 February 2020 / The study, ‘Akamai 2020 State of the Internet / Security: Financial Services’, observed over 85 [...]

divider
People Moves
Veeam appoints Gil Vega as chief information security officer

Veeam appoints Gil Vega as chief information security officer

19 February 2020 / Veeam Software have today announced that Gil Vega has been appointed chief information security officer [...]

divider
Releases & Updates
97% of IT leaders majorly concerned by insider data breaches

97% of IT leaders majorly concerned by insider data breaches

19 February 2020 / This finding from Egress‘s Insider Data Breach Survey 2020, conducted by Opinion Matters, spelled a [...]

divider
Cybersecurity
How much do behavioural biometrics improve cyber security?

How much do behavioural biometrics improve cyber security?

19 February 2020 / For example, researchers have hacked into smartphones that have fingerprint scanners by pressing the print [...]

Do NOT follow this link or you will be banned from the site!

Pin It on Pinterest