Cybersecurity Risks for Open Source Code

  /  ICS Security   /  Cybersecurity Risks for Open Source Code
Cybersecurity

Cybersecurity Risks for Open Source Code

The adoption of open source code has increased exponentially over the past decade, with a large percentage of commercial software now containing it. Developers are constantly sharing common features and code functionality across the internet and globe. The speed and demand placed upon application teams is high – business used to run via application releases a handful of times per year, and now is done a handful of times per week or day. This rapid acceleration pushed the world to move from “waterfall” and “iterative” project methodologies to “agile” to meet the rapidly growing demand. But what are the cybersecurity risks associated with open source code and how to protect it?

Open Source Cybersecurity Risks

  • Vulnerabilities – average of 64 vulns per code base. 1500+ days before a fix. Development processes are your first line of defense.
  • You build it, you own it
  • Software of unknown origin
  • Continuous monitoring of config and environment

To mitigate the risks, usage of Open Source repository scanning technologies is mandatory. A service which is able to find manifest files (identify and analyze), understand the direct and indirect dependencies (and flag them for known vulnerabilities) is a must. Having integration into your code repository also helps identify your risks tied to your projects. Then building the issue findings into your ticketing system (or creating pull requests) for remediation, at the developer level, is the next step to ensure the code has ownership and is cared for during its lifecycle. Maintenance and auditing (remediation) of this will be required because every time the same pull request happens, as scan and updated patch request must occur there too.

Building a culture among your organization to have ownership of code, the maintenance of it, and pride in the application from release to release will take time. It is paramount to making Open Source more secure though, as the ownership and pride will help keep it secure. Implementing the technology checks on top will assist in keeping the teams involved and more secure, as will doing this continuously.

More about Cybersecurity Vulnerabilities in ICS Mobile Applications

Read the full post on open source software security from Trend Micro to learn 4 best practices to mitigate vulnerabilities.

 

About the Author

Aaron Ansari

VP, Cloud Security at Trend Micro