Open source technology is innocent

Ryan Berg, Sonatype's chief security officer, told Gigaom that we should not point security issues directly at open source as we face some issues, but also consider them elsewhere. In fact, special software will have such a problem. The real response to security should be to focus on every aspect of the product life cycle and to take steps to improve the security of every aspect of software development.

Recently, OnRamp free advertising service was forced to shut down due to hacker attacks, the service shut down directly affects millions of websites. OnRamp's parent company OpenX released an official statement at the forum that questioned the security of open-source technology .

In this regard, said that this is not an open source issue, and we should not blame open source users and manufacturers. The open-source economics and productivity make it a mandatory component of almost any modern software application. We have all enjoyed huge benefits in terms of open source - rapidly developing and reusing validated components that allow users to focus more time on software features in proprietary areas.

This not only demonstrates the benefits of open source, but also shows that it is necessary. That's why more than 70,000 organizations handled almost 8 billion requests for open source components on Central Repository last year, covering all major categories of applications, including networking, cloud, mobile, and critical infrastructure.

The undisputed fact is that today over 80% of the assembly of a typical software application is assembled using existing components and the vast majority of them are open source, coming from dozens or hundreds of separate projects . All vertical industries, both regulatory and non-regulatory, use a large number of open source components in internal and user-facing applications.

Open source is necessary

You can think of today's software development organization as a car manufacturer, and developers "assemble" the application using existing parts or components instead of rewriting the application from scratch. But unlike manufacturing, the software industry lacks the tools necessary to manage the complexity and risk of a complex, distributed software supply chain.

Component-based development needs to be managed and security issues arise when monitoring is incomplete. Simply put, a flawed software supply chain means a flawed application. Our research shows that at least 71% of application-included components are known to be listed as critical or critical security vulnerabilities.

The Leaking Vault 2011, released by the Digital Forensics Association, said more than $ 156 billion in direct losses in a short period of time can be attributed to data breaches. A commercial survey conducted by Forrester and Veracode on application risk management found that 62% of respondents said they found a vulnerability in the past year due to a flaw in their critical applications.

Reduce the risk of inevitable

Now, the question becomes how to realize the benefits of open source while reducing risk and component consumption. Of course, there are constant and complex threats to open source software, which is also a threat to proprietary software. We know the danger is that obsolete components that use discovered vulnerabilities come from not having an enforceable open source policy and that the open source software has no dependencies on managing component licenses or licenses.

It is important to understand that this is a supply chain issue: you need to manage the components at each stage within the software development life cycle (the process of consumption, development, integration, and production).

Reduce security risks

To reduce security risks, we need to enhance the overall protection of the software development life cycle at the component level and improve the integrity of the entire software supply chain. Imagine if there is a risk of a vulnerability in a popular open source component, and because the component is used by many applications, the component becomes a hacker in the eyes of hackers.

Here are some key tips for reducing risk:

Study an open source policy if your organization does not already have it. Check it often if you have it. Make sure it is clear to the development team and accountable for the security management process and get it backed up by everyone.

Make sure your policies provide key guidelines for component safety, licensing, and quality attributes. In addition, the open source strategy needs to be comprehensive, outlining the organization's standards and values ​​and creating more guidelines to drive usage decisions.

Make sure your policies are enforceable. If there is no implementation capacity, then what is the point? Policy on paper will be ignored, so look for ways to integrate the implementation into the software development process itself.

Provide developers with the information they need to make the right choice. Your developers are at the forefront, so give them the ability to fight. Allowing them to detect defects or irregularities early on, saving them time and money as early as possible.

Clear up production, inventory components and their dependencies. Knowing the composition of your application during troubleshooting is half as successful.

Pay close attention to the newly discovered defects. New vulnerabilities may appear at any time, when a new vulnerability occurs, you want to find the first time, and know which component is in use.

There must be a remedy. Regardless of what part of the life cycle occurs, we must know how to solve. Fixing bugs is not always easy, so we need to have a plan.

Keeping this in mind, whether you're using open source or proprietary software, freeware, or paid software, it's good for the entire lifecycle of a product if we can maintain it by building good component methods.

【Editor's Choice】

GitHub Era: Why are we all in the open-source cloud security technology than ordinary security technology what are the advantages Graphic Cloud Computing: Cloud Security Applications What are the advantages of cloud security compared to ordinary security [Editor: Xiao Yun TEL: (010) 68476606]