As software development becomes a more collaborative experience, organizations are leveraging open source software (OSS) to quickly build and deploy applications. According to a survey by North Bridge, the adoption of OSS is slowly but surely becoming pervasive. In fact, 90% of respondents report that they rely on open source for improved efficiency, innovation, and interoperability.
Embracing OSS has undoubtedly brought numerous benefits to organizations, including faster time to market, a decreased workload for developers, and reduced costs for businesses. Yet despite these advantages, using OSS can have some drawbacks — particularly in the area of enterprise security. This year’s Equifax breach, for instance, was a reminder that OSS components can pose significant risks to enterprise security if not properly controlled and maintained. Thus, it is crucial for organizations to establish new policies and tactics for managing open source risk to avoid being the next victim of a data hack or breach.
SourceForge recently spoke with Jeff Luszcz, the Vice President of Product Management at Flexera Software, a leading provider of next-generation software licensing, compliance, security, and installation solutions, to discuss how enterprises can address open source vulnerabilities. Luszcz also shared how FlexNet Code Insight, a single integrated solution for OSS license compliance and vulnerability risk from Flexera, can help businesses stay agile and secure.
The Explosive Growth of Open Source Software
Jeff Luszcz, the Vice President of Product Management at Flexera
To say that the emergence and explosive growth of open source has transformed software development would be an understatement. According to Luszcz, open source continues to grow in ways that would have been unthinkable even a decade or so ago. “Open Source is becoming the first choice for many companies when it comes to procuring software technology,” shared Luszcz. “Previously, developers would be expected to get a waiver in order to being Open Source technology into an organization. But now, OSS is the default, and the waiver process is often used for proprietary components instead.”
This growth and adoption of open source has benefited companies in various ways. “Using OSS components allows companies to bring in skills that they may not be able to hire for, as well as significantly reduce the cost required to support features and technology,” said Luszcz. “Many companies have the same itch, and open source allows them to work on shared infrastructure components that benefit the entire industry.” And as for developers, Luszcz stated that the ease of access and integration of OSS components enables developers to use familiar, high-quality software stacks when they change jobs or projects.
Managing Open Source Risk
OSS gets a bad reputation for poor security…and Luszcz seeks to correct this perception. “I often tell our clients, ‘Open Source is not your security problem; your lack of knowledge of about what you’re using is your security problem,’” Luszcz emphasized. According to Luszcz, OSS components are often of the same (or higher) quality than proprietary options. “Because the vast majority of third-party components in a modern software product are open source, the majority of the security issues enterprises have to deal with are in open source components.”
“The most common security issues encountered by teams are components that they didn’t know they were using that have reported security issues,” explained Luszcz. “The other major security issues that companies deal with is the time it takes to discover that a vulnerability exists to upgrading or patching the component, to releasing a tested update to their product.” Luszcz continued: “As the pace of OSS and third-party component use increases, the need to release updated product versions also increases. This process should be tested often to make sure the development team is able to more quickly turn releases around.”
Ignoring the common vulnerabilities in OSS components will not only affect app and software projects but can also impact the business as a whole. Consider the Equifax data breach, for instance. The breach reportedly occurred because Apache failed to patch a particular vulnerability in Apache Struts, an open-source web application software. Equifax had ample opportunity to update, but failed to do so. The attackers then exploited the vulnerability to gain access to the Equifax servers and network. And the rest they say is history. Thus, to avoid being the next Equifax, Luszcz offers the following tips to effectively manage open source risk:
- Get a Bill of Materials (BOM) – The first and most important action for teams to take is to get a comprehensive Bill of Materials (BOM) for their software product. Luszcz said the BOM should include all top-level packages, their dependencies and subcomponents – with Open Source and commercial components. The hidden dependencies and subcomponents should be uncovered for additional knowledge of the potential vulnerability exposure for the product.
- Communicate with software suppliers – “It’s also important to have good lines of communication with your software suppliers, whether they’re OSS and proprietary in nature,” advised Luszcz. Luszcz said that companies should require their proprietary suppliers to comply with the obligations of the open source licenses they use and disclose the true BOM they’re supplying, as well as any copyleft or similar obligations. “And if your contracts don’t already contain language to enforce this, it’s time to update them,” he added.
- Educate the developer community about open source licensing and vulnerability management practices – This is an important step to prevent security problems, said Luszcz. “Knowing how to comply with the licenses, as well as how to best deal with security issues, will make it so that your organization isn’t only dealing with these issues during an emergency,” he explained. “The proper vetting of components as they’re selected, as well as understanding how to best patch or interact with the community in the event of a vulnerability, are important components of an open source strategy.”
Take Control of Open Source with FlexNet Code Insight
To help companies take control of open source and stay ahead of OSS vulnerabilities in addition to license compliance, Flexera recently released the latest version of FlexNet Code Insight. The FlexNet Code Insight platform is for individuals who are building software applications in a commercial environment. “With software being comprised of anywhere from 50 to 90 percent open source components, the ability to know what you’re using, comply with the open source licenses, as well as to be alerted to vulnerabilities as they are detected all require part of shipping a modern software package,” said Luszcz. “FlexNet Code Insight empowers organizations to take control of and manage use of open source software (OSS) and third-party components. It helps development, legal and security teams use automation to create a formal OSS strategy and policy that balances business benefits and risk management.”
Below are the key features of FlexNet Code Insight that makes it a must for modern teams that are looking to enhance security while also accelerating their development:
- Multiple detection options – The ability to use multiple detection techniques to discover components from the package level (such as Maven, Nuget or NPM) all the way down to the cut and paste level allows users to create the most comprehensive BOM. This BOM can then be used to discover vulnerabilities using sources of data such as the National Vulnerability Database (NVD) and Secunia Research at Flexera.
- Compliance and policy features – These allow users to specify and discover what’s allowed (or not allowed) to be used due to a vulnerability or license compliance issues.
- Alerts – Businesses will get the ability to receive alerts for deployed software when new vulnerabilities are published.
- Comprehensive scanning – FlexNet Code Insight’s ability to do comprehensive scanning down to the source code snippet level allows our users to create larger and more accurate BOM than other solutions in the market. Additionally, the ability to look inside compiled packages for important (and often overlooked) vulnerable open source packages is a level of analysis that often sets FlexNet Code Insight apart from other solutions. This level of analysis is an important part of managing a commercial software supply chain, especially when the source and BOM may not be shared.
- On-premise solution – FlexNet Code Insight is an on-premises solution which means your source code stays inside your organization. This is an important use case that isn’t easily supported by other tools.
Trends in Open Source Security
Because security is a major concern when it comes to incorporating OSS components, Luszcz believes that third-party scanning and BOM will also grow in importance over time. “The continued impact of the Equifax hack is causing more and more companies to make OSS and third-party scanning a required part of the use and purchase of software packages,” said Luszcz. “We’re hearing more companies require a complete BOM to be delivered as part of a product sale, which is encouraging companies to perform their initial scans, fix what is needed and keep an up-to-date BOM.”
“Due to this, we are seeing more companies trying to document their complete software supply chain as well as put contract language in place to push compliance and disclosure requirements lower in the chain,” continued Luszcz. “Flexera’s ability to product SPDX and other compliance documents helps with the process whether you’re selling or buying software.”
The use of containers as a packaging mechanism is also increasing, added Luszcz. More and more companies are delivering their products as containers, which adds an additional layer of OSS software as well as additional requirements for patching and updates. “FlexNet Code Insight has added the ability to scan Docker containers in order to give our customers visibility into this new deployment technique,” highlighted Luszcz.
About Flexera
Flexera is reimagining the way software is bought, sold, managed and secured. Flexera offers Monetization and Security solutions, which help software sellers transform their business models, grow recurring revenues and minimize open source risk; and Vulnerability and Software Asset Management (SAM) solutions that strip waste and unpredictability out of procuring software, helping companies buy only the software and cloud services they need, manage what they have, and reduce compliance and security risk.