Welcome!

Open Source Authors: Maureen O'Gara, Jeremy Geelan, Liz McMillan, Reuven Cohen, Lavenya Dilip

Related Topics: Open Source

Open Source: Article

Successful Open Source Security Is Knowing What to Secure

You can't secure what you don't know you have
By Theresa Bui-Friday
Article Rating:
August 27, 2008 02:23 PM EDT
Reads:
 1,948
The Open Source Mismanagement Debacle
In the first half of 2008 alone, there were dozens of publicly reported corporate data breaches resulting in the implementation or exploitation of vulnerabilities in undocumented code. In fact, recently vulnerability in the BIND DNS software was uncovered that gives malicious attackers a way to quickly redirect Web traffic and e-mails to systems under their control. Specific details of the flaw were posted online, and experts are saying it is only a matter of time before the attack code is written and real trouble will ensue.

Many software vendors, from large commercial vendors to open source projects, embed the DNS toolkit. But if you don't know you're using an open source project, how do you know if the DNS flaw impacts you?

While open source communities do an excellent job of responding to reports of vulnerabilities, the lack of visibility to the open source components in use inside custom-built applications means there is no reliable way to ensure that applications are patched and upgraded.

Increased exposure and risk to application security issues means that organizations need to be certain of the software composition of their externally facing applications. What third-party code is embedded inside of them? Where did they get that code? Who wrote it? Are there vulnerabilities within the code? What are the legal obligations surrounding its use? Who on their team is responsible for monitoring it?

Securing Your Organization
The risks of open source lie not in the usage of open source, but the management or lack thereof of open source. If a company does not keep track of the open source software adopted, it can be difficult and costly to identify vulnerabilities and implement patch releases associated with the adopted code.

While commercial software suppliers have put mechanisms in place by which to notify customers of updates and push them out automatically to licensed users, many open source projects do not. In fact, only one out of every 10 open source projects has a vendor offering commercial support. [1] Organizations that use open source components are largely on their own when it comes to patches, upgrades, vulnerability assessment, and similar tasks that are part of a normal commercial service contract.

When companies do not know what code is running inside their applications, they are leaving themselves open to serious vulnerabilities that can ultimately lead to data breaches.

Ironically, most organizations believe they have adequate application security solutions in place because of significant investments in firewalls, web-based authentication, intrusion detection, and identity management systems. While important security layers nonetheless, these solutions secure the perimeter by managing traffic to the applications. None focus on analyzing the software code for the identification of third-party code that could have security defects or vulnerabilities that put applications at risk.

The identification, monitoring, and management of open source security vulnerabilities in order to ensure that no hidden third-party code is embedded in applications or running behind firewalls has not been managed well to date. With the increasing scrutiny of the problems associated with application-layer attacks, increased customer data breaches, and the need to increase the reliability of Internet-facing systems, organizations must now manage the newly emergent and informal software supply chain through which open source regularly enters their code base.

The need for automated application security and governance systems for open source and other third-party code use needs to become a key part of companies' engineering, IT, and application security priorities. By implementing new application security software systems, companies will be able to decrease TCO of open source technology, increase customer and partner confidence, maintain competitive advantage, and ensure regulatory and corporate compliance.

They should also implement a straightforward authorization and monitoring system for open source usage, one that minimizes version proliferation, ensures compliance to license terms, ensures usage of the most recent releases, and guarantees awareness of any associated vulnerabilities.

In addition, most organizations believe they have adequate legal and IP policies in place because of significant investment in IP policy development (license blacklist and whitelist). Having an IP policy in the format of acceptable and unacceptable licenses is only the beginning; it does not mean that the every member of a globally dispersed engineering team is in fact following the policy.

Successful Application Security Is Knowing What to Secure
Subsequently, a good strategy for application security for open source requires the ability to conduct software composition analysis in order to identify the inventory and tag all code embedded in your custom applications, including the identification of all open source, and reporting on existing security vulnerabilities, IP ownership, and obligations. It also requires a partnership between security, engineering, and legal teams.

This cross-functional partnership is based on three key elements. The first element is documenting an accurate inventory of open source components in use, provided by the engineering team. This may be more challenging than it appears, since most large applications have had many different developers over a period of years, each with the potential to utilize open source components.

The second element includes a system to assess the risks of open source usage by associating the open source projects with known and published vulnerabilities and against a list of acceptable licenses managed by the security and legal teams.

The final element is managing the use of open source during the lifetime of an application to ensure that new vulnerability information, documented security patches, etc., get updated in a timely manner. With this new awareness, coupled with robust new tools for open source management, all three elements can be addressed and the unknown will no longer exist.

Published August 27, 2008 – Reads 1,948
Copyright © 2008 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.

More Stories By Theresa Bui-Friday

As VP of Product Marketing, Theresa Bui-Friday is responsible for Palamida's positioning, core communications content, go-to-market initiatives, and press and analyst relations team. She has over 12 years' of expertise in the software industry with a focus on emerging technology. Prior to Palamida, Theresa was Director of Strategic Marketing at Cacheon. She was also Director of Enterprise Marketing for Embark.com, which is now Princeton Review, where she held global responsibility for product marketing of the enterprise product lines, including competitive and market evaluation, strategic planning and outbound marketing programs.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.