open source security hero image

The Best Strategies to Prevent Open Source Software Security Risks

A common misconception about open source software is that it is less secure than proprietary software. Many people assume that the transparency in open source code leads to more vulnerability because potential hackers can see and take advantage of bugs. However, this is not the case. In fact, the nature of open source software empowers developers to address security issues much more quickly than proprietary systems, in which an end-user must rely on a third-party vendor or developer to address the weakness. The open source community also facilitates peer review from a diverse set of developers who are motivated by more than profit to improve the code.

These assurances don’t mean that open source is Teflon though. Just like with proprietary software, there are plenty of ways that nefarious coders can exploit vulnerabilities. IT Managers, regardless of their source code, should actively take steps to secure all of their assets. Fortunately there are many options out there to make sure you’re doing your due diligence.

Open source software is constantly being updated and adjusted through iterations.  From a security standpoint, it can be a challenge to keep up with the latest crowd-sourced developments as they are being added. Plenty of tools exist to automatically scan code for vulnerabilities, but they can’t catch every risk.

There is also no standard method to document security on open source projects. According to a 2018 CSO blogpost, of the top 400,000 public repositories on GitHub, only 2.4 percent had security documentation in place. An IT manager could easily expend countless hours addressing all of the issues in a specific release, only to find that a newer version of the software in question has been released before they’ve even finished!

Stay One Step Ahead

Simply having more eyes on code isn’t necessarily a cure-all. In fact, sometimes the open source work-flow is its own worst enemy -- as soon as a vulnerability is discovered, it’s made public. If you’re not appropriately plugged in, hackers might be aware of (and looking for) your vulnerabilities before you even realize they exist. Thankfully, there are many avenues for your team to meet this problem head on:

  • Plug In: At the very least, you need to stay tuned to the open source community that is supporting your code. Always be looking for bugs, upgrades and patches, and react accordingly to any issues. Check regularly and thoroughly, and don’t be afraid to engage if you’re facing issues that others aren’t seeing. Simply upvoting a comment or asking a question on a message board can often yield outsized results in the open source world.
  • Pop the Hood: You should be auditing your code. Audits run the gamut in terms of quality, scope and cost, so it can take some planning to make sure you’re running the right test. If you find a vulnerability during such a process, be a good open source citizen. Report your findings back to the original developers.
  • Modernize: One of the best things you can do as an IT manager is to automate the process. Automated open source management is a valuable way to make sure your digital assets are up to speed on the latest updates, risks and solutions. Coverity Scan will find and fix defects in your Java, C/C++, C#, JavaScript, Ruby or Python open source project for free. Security, development, and legal teams around the world rely on Black Duck Software to help them manage the risks that come with the use of open source. It is incumbent upon you and your team to find the best approach and tools for your platform.

Codify Cybersecurity Culture

All of these recommendations can be very effective in securing your open source assets. But they’re just the first step.  To understand the full scope of your software security, you need to codify a cybersecurity culture within your organization. Simply put, your team should be as invested in cybersecurity culture as they are in the open source community.  

Cross-Train Your Staff

The average coder who sets out to improve an open source application isn’t a cybersecurity expert. It’s not always feasible or even possible to hire people who are experts in both web development and digital security. But it is more than possible, and definitely practical, to train your talent so that your teams can approach this issue from both ends. It’s a worthy investment to ensure that your developers have a general understanding of digital security, as well as the latest trends therein. Your developers should be included in the decision-making process around security concerns whenever such conversations come up.

On a related note, security should be much more than an after-thought or something to address when things go wrong. A Snyk survey of open source maintainers found that 44 percent of respondents have never undergone a security audit. Furthermore, only 17 percent of those respondents reported a high level of security know-how.

Any organization that owns a digital asset needs to nurture that asset. Just as you might analyze the performance of your blog or social media feed to them, your organization should be proactively monitoring your digital security efforts. Security should be an integral consideration in every major decision made during the entire application development lifecycle – from inception to retirement.

Know Your Code

 In work as in life, many like to follow the age-old mantra, “If it ain’t broke, don’t fix it.” And many organizations operate that way. According to a Veracode report, only 28 percent of organizations do any kind of regular analysis to find out what the source code is for the components built into their applications. This is obviously problematic, but it isn’t that surprising.

A major advantage of many open source applications is that they work very well for hundreds of teams, often with little to no modification. But past success guarantees nothing for you and your team if you don’t know where your code comes from. In order to protect your assets, you need to fully understand it – the good and the bad, its strengths and weaknesses. This means you have to dig deep and become intimately familiar with your code, so that you can also trace and digest its documentation. That way, when something goes wrong – or may go wrong in the future – you won’t be caught unaware.

Processes, Processes, Processes

At the end of the day, open source assets need to be managed as extensively as proprietary assets. This can seem painstaking at first, but it will vastly improve your workflow and strengthen your code. Processes, as well as analysis, should be put in place to enhance the security of your code. The bottom line is that organization should have a plan, as well as a back-up plan, for how to approach security when deploying or utilizing any digital asset – whether it’s based on open source or proprietary code.

Fortunately, everything we’ve covered, large and small – from engraining a culture of cybersecurity into your organization to staying one step ahead of hackers and everything in between – goes hand in hand. These recommendations all strengthen each other, and every step you take makes the next one a bit easier. By being proactive about security and adhering to the necessary precautions, you can  protect your applications as well as your customers.

Josh Anderson

Josh Anderson

Former Writer Acquia