Check out all the on-demand sessions from the Intelligent Security Summit here<\/a><\/em>.<\/p>\n

\n<\/div>\n
The software development process is getting quicker. Devops teams are under increased pressure to go to market, and they\u2019re able to work quickly, thanks in part to open-source software (OSS<\/a>) packages.\u00a0<\/p>\n
OSS has become so prevalent that it\u2019s estimated to factor into 80 to 90%<\/a> of any given piece of modern software. But while it\u2019s been a great accelerator to software development, OSS creates a large surface area that needs to be protected because there are millions of packages created anonymously that developers use to build software.\u00a0<\/p>\n
Most open-source developers act in good faith; they are interested in making life easier for other developers who might encounter the same challenge they\u2019re looking to solve. It\u2019s a thankless job because there\u2019s no financial benefit to publishing an OSS package and plenty of backlash in comment threads. According to GitHub\u2019s Open Source Survey<\/a>, \u201cthe most frequently encountered bad behavior is rudeness (45% witnessed, 16% experienced), followed by name calling (20% witnessed, 5% experienced) and stereotyping (11% witnessed, 3% experienced).\u201d<\/p>\n
Unfortunately, not every OSS package can be trusted. Attribution is hard to track for changes made to open-source code, so it becomes almost impossible to identify malicious actors who want to compromise the code\u2019s integrity. Malicious open source software packages have been inserted to make a point about big companies using these packages but not funding their development, and at other times for purely malicious reasons.\u00a0<\/p>\n
<\/p>\n
\n
Event<\/h3>\n
\n
Intelligent Security Summit On-Demand<\/span><\/p>\n
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.<\/span><\/p>\n<\/div>\n

\n Watch Here <\/a>\n <\/p>\n<\/div>\n
<\/body><\/p>\n
If an OSS package is used to build software and has a vulnerability, that software now has a vulnerability, too. A back-door vulnerability can potentially compromise millions of applications, as we saw with Log4j<\/a> last year. According to OpenLogic\u2019s<\/a> State of Open Source Report, 77% of organizations increased their use of OSS last year, and 36% reported that the increase was significant. But research from the Linux Foundation<\/a> shows that only 49% of organizations have a security policy that covers OSS development or use.<\/p>\n
So how can you better understand the risk OSS poses to your cloud<\/a> application development and work to mitigate it?\u00a0<\/p>\n
Get visibility<\/h2>\n
The first step in understanding what kind of threat you face is to understand the surface area of your application. Build automation<\/a> into your cybersecurity<\/a> measures to gain visibility into which OSS packages and which versions are being used in your software. By starting as early as the integrated development environment (IDE), you can fit this practice into your developers\u2019 workflow, so they\u2019re not being slowed down.\u00a0<\/p>\n
Also consider infrastructure as code (IaC), such as Terraform<\/a>. Are you aware of all the modules you\u2019re using? If someone else built them, do they adhere to your security controls?\u00a0<\/p>\n
Once you understand the scope of your OSS usage, you can slowly start to establish control.\u00a0You\u2019ll need to find a balance between oversight and developers\u2019 freedom and velocity.\u00a0<\/p>\n
Dig in to open source software<\/h2>\n
The industry standard is Supply-chain Levels for Software Artifacts (SLSA<\/a>), a framework of standards and controls that aims \u201cto prevent tampering, improve integrity, and secure packages and infrastructure in your projects.\u201d There are certain tools you can use that leverage SLSA to identify if an OSS package has known issues before your developers start using it.<\/p>\n
From there, you should either establish an \u201callow list\u201d of trusted sources and reject all others, or at least audit instances where sources that aren\u2019t on the \u201callow list\u201d are used. Composition analysis like the one released by the Open Source Security Foundation<\/a> (OpenSSF) can help inform what that \u201callow list\u201d should look like.<\/p>\n
Tech giants have gotten in on open source software security too, considering they also use these packages. Google made a $100 million<\/a> commitment \u201cto support third-party foundations, like OpenSSF, that manage open-source security priorities and help fix vulnerabilities.\u201d It also has a bug bounty program<\/a> that it positions as a \u201creward program,\u201d to compensate researchers that find bugs in OSS packages.<\/p>\n
A separate initiative<\/a> headlined by Amazon, Microsoft and Google includes $10 million to reinforce open-source software security, but that\u2019s 0.001% of the companies\u2019 combined 2021 revenue. While an admirable and important effort, it\u2019s a drop in the bucket in comparison to the scope of the issue.\u00a0<\/p>\n
Raise awareness<\/h2>\n
Larger investments from tech giants that depend on OSS and its continued innovations are needed, but we also need more community participation and education.<\/p>\n
OSS packages benefit the greater good for developers, and the landscape encourages the anonymity of those code authors. So, where do we go from here in prioritizing security?<\/p>\n
Training developers at the university level on the potential risks associated with blindly adding OSS packages into software code is a good place to start. This training should continue at the professional level so organizations can protect themselves from the threats that sometimes infiltrate these packages and, in all likelihood, their software, too.\u00a0<\/p>\n
Leaning on organizations like the Cloud Native Computing Foundation (CNCF<\/a>), which has charted some of the best open-source projects, also offers good groundwork.<\/p>\n
Open source software packages are a vital component of the increased velocity of application development, but we need to pay better attention to what\u2019s inside them to limit their risk and fend off cyberattacks<\/a>.<\/p>\n
Aakash Shah is cofounder and CTO at oak9<\/em>.<\/p>\n
\n
DataDecisionMakers<\/h3>\n
Welcome to the VentureBeat community!<\/p>\n
DataDecisionMakers is where experts, including the technical people doing data work, can share data-related insights and innovation.<\/p>\n
If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data tech, join us at DataDecisionMakers.<\/p>\n
You might even consider\u00a0 contributing an article<\/a>\u00a0of your own!<\/p>\n
Read More From DataDecisionMakers<\/a><\/p>\n<\/div>\n
\t\t\t\t<\/html><\/div>\n<\/p><\/div>\n
Read More<\/a>
\n Aakash Shah, oak9<\/p>\n","protected":false},"excerpt":{"rendered":"
January 15, 2023 9:10 AM 3D technology illustration Fingerprint scanner with cloud integrated with a printed circuit board. release binary code Check out all the on-demand sessions from the Intelligent Security Summit here. The software development process is getting quicker. Devops teams are under increased pressure to go to market, and they\u2019re able to work<\/p>\n","protected":false},"author":1,"featured_media":597966,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[640,3278,46],"tags":[],"class_list":{"0":"post-597965","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-dont","8":"category-source","9":"category-technology"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/597965","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=597965"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/597965\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/597966"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=597965"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=597965"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=597965"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

Event<\/h3>\n\nIntelligent Security Summit On-Demand<\/span><\/p>\nLearn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.<\/span><\/p>\n<\/div>\n