Don't blame open source technology it's innocent

Don't blame open source technology it was innocent posted 21 hours ago | Times Read | SOURCE gigaom| 0 Reviews | Author Ryan Berg Cloud computing Open Source Security Summary: When security vulnerabilities arise, we often push the onus on open source software. But abandoning open source is not http://www.aliyun.com/zixun/aggregation/7432.html "> solve the problem answer-open source is a very important direction." Instead, we need to take some key steps to ensure the security of components throughout the development process.

Sonatype's chief security officer, Ryan Berg, wrote in Gigaom that we should not blame the security issue on the open source itself, which is actually the problem with proprietary software. The real way to deal with security issues is to focus on every aspect of the product lifecycle and take steps to improve the security of each aspect of software development.

The following is the full text of the article:

Last month, OnRamp's free advertising service was forced to shut down as a result of hacking attacks, which had a severe impact on millions of of sites. OnRamp's parent company, OpenX, issued an official statement at the forum questioning the security of open source technology.

But the industry is more inclined to think: this is not an open source problem, and we should not put the blame on open source users and manufacturers. Open source economics and productivity make it almost the mandatory component of any modern software application. We have great benefits in open source-rapid development, re-use of validated components, allowing users to focus more time on proprietary software features.

This is not only proof of the benefits of open source, but also that it is necessary. This is why more than 70,000 companies have handled nearly 8 billion requests for open source components over the central repository last year, covering all major categories of applications, including networks, cloud, mobile, and critical infrastructure.

The indisputable fact is that more than 80% of the assembly in a typical software application today is assembled with existing components, and most of them are open source, from dozens of, or hundreds of separate projects. All vertical industries, both regulatory and unregulated, use a large number of open source components in both internal and user-oriented applications.

Open source is necessary

You can think of today's software development organization as a car manufacturer, with developers using existing parts or parts to "assemble" applications, rather than writing applications from scratch. But unlike manufacturing, the software industry lacks the tools necessary to manage the complexities and risks of a complex distributed software supply chain.

component-based development requires management, and security issues arise when oversight is incomplete. Simply put, a defective software supply chain means flawed applications. Our research shows that at least 71% of applications contain components that are known to be listed as critical or critical security vulnerabilities.

Digital Forensics Association released the leaking Vault 2011, said that in a short period of time, more than 156 billion dollars in direct losses can be attributed to data leaks. A business survey of applied risk management by Forrester and Veracode found that 62% per cent of respondents said they had found loopholes in the past year due to flaws in their critical applications.

Reduce the risk of inevitable

Now, the question becomes how to achieve the benefits of open source while reducing risk and component consumption. Of course, there are persistent and complex threats to open source software, and proprietary software poses the same threat. We know that the danger comes from outdated components that use discovered vulnerabilities, from the absence of a compelling open source policy, and the open source software that does not have a dependency on the license or license to manage components.

It is important to understand that this is a supply chain problem: you need to manage components at every stage of the software development Lifecycle (consumption, development, integration, and production processes).

Reduce security risks

To reduce the security risk, we need to strengthen the whole software development lifecycle protection measures on the component layer, and improve the integrity of the whole software supply chain. Imagine if there is a vulnerability risk in a popular open source component, and because components are used by many applications, the component becomes a steamed in the eyes of hackers.

Here are some of the key mitigating risks:

Study an open source policy if your organization has not yet. If you do, check it often. Make sure it is clear to the development team and responsible for the process of security management so that it gets everyone's support. Ensure that your policies provide key guidance for component safety, licensing, and quality attributes. In addition, open source strategies need to be comprehensive, outlining organizational standards and values, and creating more guidelines to drive usage decisions. Make sure your policies are enforceable. What is the point of not being able to execute? An armchair policy will be overlooked, so find ways to integrate execution into the software development process itself. Provide developers with the information they need to make the right choices. Your developers are on the frontline, so give them the ability to fight. Allow them to early detect defects or not meet the requirements of the place, save time and money as early as possible. Clarify the dependencies between production, inventory components, and them. Knowing your application's composition during troubleshooting is half the success. Pay close attention to newly discovered flaws. A new vulnerability may occur at any time, and when a new vulnerability arises, you will need to discover the first time and know which component is in use. There is a remedy to be taken. No matter what part of the lifecycle, know how to solve it. Fixing bugs is not always easy, so we need to have a plan.

Whether you're using open source software or proprietary software, free software, or paid software, keep this in mind: if we can maintain the component layer by building a good component approach, it's good for the entire lifecycle of the product. (Wang/Compile Zhonghao/revisers)

This article is from: Gigaom

"The First China Cloud computing Conference" will be held in June 2013 5-7th in the Beijing National Convention Center. Slam The Register!

If you have a wealth of practical experience, creative issues and are happy to share the results with others, welcome to introduce or recommend lecturers; related issues and suggestions please @CSDN cloud computing or join 147015990 (QQ Group: China Cloud Computing) to participate in the discussion.

The fifth session of China Cloud Computing Conference