Identifying the security risks and rewards of open source software deployments
Open source components are now at the core of many applications and a good deal of infrastructure. But what implications does this have for security?
The Information Security Forum has released a new paper, Deploying Open Source Software: Challenges and Rewards, to help security professionals recognize the benefits and perceived challenges of using open source and set up a program of protective measures to effectively manage it.
Open source software is often seen as being insecure and unsupported. As these negative connotations continue to taint its reputation, some organizations officially ban it, even though they may unknowingly be using OSS. Others enthusiastically adopt OSS, harnessing its advantages, such as aiding flexible and rapid development. This latest paper from the ISF demonstrates that OSS can be a positive influence on software development, if used and managed responsibly.
"Many organizations are adopting agile and DevOps methodologies, which is driving an increased uptake of OSS and, in turn, the creation of new mixed source applications," says Paul Holland, principal research analyst at ISF. "The growing prevalence of OSS needs to be balanced by a concerted effort to manage its use appropriately and effectively. For some organizations, the first step is to realize that the myths surrounding OSS are simply illusions. For other organizations, the appeal of OSS and mixed source software is already apparent, allowing them to develop new applications securely and increase speed to market for new ideas."
Among the paper's suggestions are that OSS program managers should be supported with the necessary funds and resources to develop a viable program and team. While in some instances, existing tools for closed source software can be extended to secure and manage OSS, the program team may need additional tools to further enhance OSS security. The team should also monitor threat intelligence feeds for mentions of OSS components that their organization is using.
"Resisting the move to OSS could limit an organization's ability to progress and evolve. If harnessed effectively, OSS can potentially be an accelerator for the business," adds Holland. "Fostering an OSS management program is therefore vital to securing and managing OSS, allowing the organization to use it safely. Combining this with established practice around the management of closed source software will deliver a coherent, all-encompassing software management program, providing the best opportunity for success."
The full paper is available to ISF members via its website.