Open source software (OSS) provides overwhelming benefits to digital technologists, developers, and marketers today, providing them with a faster, more affordable time to market and seamless integration with other software.
While the proliferation of open source over the years has resulted in more secure, stable software, skepticism around its overall security still remains. There are risks involved in using any software, open source or commercial. With open source, not only are there ways to mitigate risk, but the extensive benefits of using OSS greatly outweigh any uncertainty.
We talked to Michael Pittenger, VP of Security Strategy at Black Duck Software to learn more about the state of open source security.
“There are going to be bugs in software whether you write it yourself or whether you’re using open source,” Pittenger told Velocitize.
Risk can be significantly reduced by understanding the overall hygiene of the open source code being used. Pittenger recommends gaining a thorough understanding of the historical security profile of the platform as well as the state of the community that surrounds it.
Historical security profiles can help in the overall risk assessment associated with a specific open source project. “You may choose to switch from one open source platform to a similar project with a better security track record, but often that will be a function of how much digging developers have done,” said Pittenger.
For that reason, it’s critical to practice due diligence when selecting open source software. “Understand the code you’re using and the overall threat space because security can change over night,” Pittenger said.
More established OSS, like WordPress for example, is among the more secure open source applications available. Even more, through paid managed services, users can mitigate risk due to a number of other proactive security measures, including auto security updates, taken by service providers.
Auto-updates aren’t possible in systems that use pieces of open-source code throughout different components of their software, however. Pittenger explained that this is because, often times there are no clear processes in place to identify exactly where the code is being used and if it needs updating. Moreover, because there are other components involved, code must also be tested for compatibility.
To minimize risk, Pittenger recommends having a policy in order to monitor open source code for updates and a process in place to triage issues as they arise. This can either be through internal processes or by leveraging open-source management software to monitor applications and containers.
“The concerns around open-source security are going to be business based,” Pittenger said. “This means that if you are a bank you’re going to be worried about vulnerabilities that might allow someone to access customer information. If you’re Twitter, you might be more concerned about bugs that are going to impact availability.”
Think about your business objectives and what you’re trying to achieve, Pittenger recommended. This will enable you to identify the technical implications you’re most concerned about.
“Different vulnerabilities have different technical impacts,” Pittenger said. “Then there are some code bases you won’t worry about at all…there may be vulnerabilities you ignore because you’re willing to absorb that level of risk,” he said. “There may be applications you don’t test because they’re not doing anything business-critical or their not managing any information that isn’t already public.”
The benefits outweigh the risk.
The Black Duck 2016 Future of Open Source Survey found that use of OSS increased in 65 percent of companies in 2016 vs. 60 percent in 2015. Not only that, but companies are starting to see more value in open source, with 67 percent participating in open source to squash bugs or add functionality and 59 percent participating to gain a competitive edge.
Companies recognize the tremendous value of open source in terms of lowering development costs and accelerating time to market.
“If a third of the average commercial application is open-source, then you just saved somebody a third of its development time,[…] If you decide to build that all yourself, then it’s going to cost you 50 percent more,” said Pittenger.
While cutting costs is important, OSS users are finding that the advantages go beyond affordability.
“Five years ago, Black Duck realized that the primary motivator for using open source was not cost… they recognize it’s not cost free — you still have to learn to use it, and there’s cost for support — whether you’re buying it or doing it yourself. […] They’re using it now because it adds value,” he said.
Pittenger stated that security issues don’t come into play that much when determining whether or not they should use open source.
“People understand the risk, just as they understand the risks associated with the cloud… And the benefits far outweigh the risks,” Pittenger said.
Start the conversation