Security Control of open-source software

Security Control of open-source software

As shown in OpenSSL heartbleed, if you do not know the code in your product, it may cause serious security threats or even prolonged remedial work. On the contrary, if you are familiar with open-source components and their versions in the project, you can quickly respond and fix them in time.

OpenSSL TLS heartbeat read remote information leakage (CVE-2014-0160)

Severe OpenSSL bug allows attackers to read 64 KB of memory, fixed in half an hour in Debian

OpenSSL "heartbleed" Security Vulnerability

Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.

Software companies are increasingly aware that the key to winning the market is to use open source software. Using commercial software alone for development is slow and costly, and almost cannot adapt to the rapid iteration and elimination of the current software life cycle. If you cannot discover and integrate highly cohesive open-source software, many excellent concepts won't be implemented.

However, it is also risky to use open-source software, that is, it is difficult to determine its source and its security.

As shown in OpenSSL heartbleed, if you do not know the code in your product, it may cause serious security threats or even prolonged remedial work. On the contrary, if you are familiar with open-source components and their versions in the project, you can quickly respond and fix them in time.

Internal security is the most important

The heartbleed vulnerability has given us a serious warning about the importance of security. It is meaningless for the broad masses of people to discuss which of the patented software and open source software is safer. The reality is that software is vulnerable without absolute security, whether open source or not.

The most obvious risk is that the certification is not properly managed (visual testing means that the certification is not updated in time, resulting in no patching, etc., as detailed below ). In addition, when patented software uses open source code, the situation becomes more complex. In this way, the purpose and source of the code will be difficult to trace.

To accurately identify security vulnerabilities, you must first understand the following three things:

 

1. What code does your project have?
2. Where did your front-end components come from?
3. How does your backend code perform code check? (It seems like it's just one thing ......)

 

Status Evaluation

All companies should pass some common code check libraries, such as the "vulnerability library" of the National Institute of Standards and Technology, which can rate the security of your code, to ensure its security and not lag behind.

If you haven't done that, it's really hard to get started. Fortunately, there are some tools that can automatically help you compare with the vulnerability library and tell you where to modify it.

Continuous control of your code library helps you understand the code source, update authentication in time, and solve future vulnerabilities in advance. If you have an accurate code list, you can easily fix the code to ensure the security of your business and customers.

Prevent future problems

Free and easy-to-use open-source software allows developers to abandon the purchase of patented software. Many development teams have management measures for open source code, but there is little implementation and record. In fact, it is very important to record the introduction and approval of code and its usefulness.

When you know what code you have, you should implement management next. By applying a management architecture during development, You can accurately describe the Code Location and whether the code is outdated. Manual management is undoubtedly difficult, so first-class companies will adopt smart and automated solutions.

Although the companies are different, the following methods have proved to avoid vulnerabilities in open source software:

 

• Automated approval and cataloguing: Automated scanning, review, and cataloguing are used to capture and record all relevant attributes of open-source components, and assess and authenticate and review possible vulnerabilities.
• Update: Check whether the software is built on the latest and most stable components. This is a quality check.
• Code Review: evaluates all codes, reviews security and software certifications, detects risks, and patches in a timely manner.
• Ensure implementation: Establish and implement a set of policies for managing open source software, automate as much as possible, and ensure implementation within the Organization.

 

Enthusiasm is the key

Software applications are spreading across all walks of life, and open source software is the driving force of this trend. To avoid security vulnerabilities in an increasingly complex environment, enterprises must actively manage the open-source software and establish a regular comparison process with the vulnerability library to facilitate software repair.

OpenSSL details: click here
OpenSSL: click here

Source: csdn code source: http://www.linux.com/news/software/applications/782953-how-to-achieve-better-security-by-proper-management-of-open-source Author: Bill ledheim Translation: http://code.csdn.net/news/2821143 Translator: moqiguzhu permanent update link address: