What to know about open source security – Information Age

Posted on by

Many companies have a preference towards open source technology, so what should be kept in mind in regards to ensuring its security?

What do companies need to know about securing open source tech?

Like any area of tech, open source needs its own security measures to thrive without a hitch.

A major benefit that organisations gain from using open source tech is that its freely available and not distributed from a particular proprietor.

The open source aspect refers to the code, and can be found within databases, applications and operating systems, among other software. This code can be changed to suit the needs of the business.

However, being available from the public domain, this realm will have its own potential vulnerabilities that hackers could exploit.

The creator of Jenkins X and the Apache Groovy language, James Strachandistinguished engineer at CloudBeesdiscusses the importance of open source providers in keeping open source, open. Read here

Open source applications, for all their arrays of use cases, can be compromised if those responsible for their security arent on top of any possible vulnerabilities.

Ben Griffin, director at Computer Disposals Ltd, explained: Because the code used by open source projects is freely viewable, hackers can take advantage of organisations that are slow to patch their applications.

Updating applications as soon as possible is imperative. Additionally, an inventory that tracks open source usage across teams helps with regards to visibility and transparency, as well as ensuring that different teams dont use different versions of the same component.

Similarly, technical employees should be careful not to copy and paste code from open source libraries, as this leaves the software susceptible to later vulnerabilities. Its a good idea to create an open source policy that specifically forbids copying and pasting such code from other projects.

Companies should also be sure to keep the security of their supply chain in mind when dealing with open source tech, and not agree to use any software without carefully examining what it entails.

The best thing to do when it comes to sharing open source code is to control your open source supply chain, said Stefano Maffulli, senior director of digital marketing and community at Scality. Do the due diligence on the packages shipped, reduce dependencies as much as possible and automatically keep track of them in your CI toolchain.

You want to avoid getting into situations like those weve seen recently where popular libraries were hijacked by criminals and modified to ship malware, like the right9ctrl fiasco in the fall of 2018, or completely removed from distribution as a political act of protest, such as the Chef scandal in the fall of 2019.

Theres a lot of hype around blockchain in supply chain management; can it help enterprises escape their siloed insights and enable them to take a more integrated and holistic approach? Read here

In some ways, observing the security of open source tech is similar to securing software distributed by a proprietor.

One of these ways is that a plan is needed for when the software is under threat.

Alongside fixing and upgrading the code for open source software users, and encouraging developers to regularly monitor for patch updates, a solid business continuity and disaster recovery (BCDR) strategy is an effective solution for resolving any risks tied to open source software that threaten the availability of systems and data, said Ryan Weeks, chief information security office at Datto.

Being able to keep systems running and to quickly recover from an attack helps businesses avoid costly downtime caused by those security risks, including everything from ransomware, crypto jacking, and spyware to trojan horses, worms, and rootkits.

A good indicator of what open source tech is worth using within the company is which other firms are using it.

Dont let them get away with it. New survey data has revealed 23% of organisations have shipped products with known security vulnerabilities to beat competition. Read here

Organisations should use open source software that has been adopted/embraced by large vendors, said Lior Ben Naon, chief solution architect at Skybox Security. For example, at organisational networks, we see Red Hat Linux servers significantly more than we see Ubuntu or CentOS distributions.

It is due to extended support mechanism of Red Hat, and the ownership they are taking upon their Linux code base. So in this example, it starts with open source code, but being adopted by a major vendor helps improve the security level, and allow better patching process, among others.

Companies should be wary of any personal information that may be present within application programming interfaces (APIs).

Vice president, global marketing at SIOS Technology, Frank Jablonski, said: The security risks of open APIs are not limited to hackers and malware. Open data and codes can lead to data sharing among applications.

The amount of personal information attained by open APIs can undoubtedly be shared with third-parties. This is evident in Facebooks vow to better secure personal information.

APIs can read all your data or they read the data from another application that you have. Security features for open APIs, such as API gateways, should provide users with the utmost protection.

Read the original post:
What to know about open source security - Information Age

Related Posts
This entry was posted in $1$s. Bookmark the permalink.