Organizations using open-source software aren’t necessarily placing themselves at greater security risk, but the key to a successful, safe implementation of open-source software is a thorough management strategy.
Open-source software makes up the majority of enterprise company applications, and for most organizations, it’s far more secure to use an open-source module that’s been vetted by a larger community than to develop similar functionality in-house.
Open-source vulnerabilities get well-deserved attention when they happen, but the more common risk is that open source is configured or used in an insecure way.
“The open-source OpenSSL is one of the most used and trusted encryption tools in the world, but its security means nothing if developers leave their private keys in the repo,” says Casey Bisson, head of product for BluBracket.
Open Source and Productivity Acceleration
He explains that generally, there are fewer risks from properly managed open source, and that for developers who are rewarded for “working smarter, not harder,” open source is the best way to accelerate productivity.
“A successful open-source software security management strategy recognizes that open source is a driving factor and critical to team velocity,” Bisson says. “It’s also critical to understand that human approaches to security are unlikely up to the challenge and to use automation to supplement accordingly.”
Most importantly, an open-source software security management strategy should support developer velocity while enhancing security by integrating security into automated CI/CD processes rather than trying to conform developer processes to security.
Bisson explains the productivity gains from open source can fool companies into under-resourcing their larger software development process.
From his perspective, automated CI/CD -- with automated code scanning -- is more important than ever. Automated permissions monitoring and enforcement can also help.
“The last thing any developer wants is to find security risks in their work after they built it,” he says. “Incorporating automated security reviews earlier in the workflow gives developers faster feedback so they can make fixes before anything becomes a security issue.”
Importance of Transitive Dependencies
Miclain Keffeler, application security consultant at nVisium, notes a crucial element of any open-source software security management strategy is transitive dependencies.
Many development teams have a fine-tuned list of open-source software that they will use because they have vetted it, but often overlooked are the dependencies those dependencies use. Beyond this, when security vulnerabilities arise in these transitive dependencies, they need to be updated to fix them, but then the dependencies that use them must also be updated.
“This creates a supply chain issue, where it can often take longer for those fixes to make it to a wider audience depending on how quickly they make changes,” he says. “Those can take a very long time if the software is under-managed.”
Keffeler points to another common tool for open-source security management called Renovate Bot. It automatically opens pull requests to make updates to the project or library it is connected with, so that you can remain on the latest secure version of that dependency.
Additionally, simple tools like OWASP Dependency Track help identify and reduce risk in the software supply chain, making teams aware of all the transitive dependencies in use and how they can mitigate this risk going forward.
Software composition analysis tools can also help protect against risks in incoming open-source components, but supply chain security is more than just what software components are being used.
BluBracket’s Bisson explains that it includes securing the workflow to prevent accidental or intentional tampering.
Supply Chain Security
Automated enforcement of git access and configuration best practices like branch protection rules and requiring signed commits are critical to supply chain security.
“Ultimately, the supply chain doesn’t end until the code is in production, so access to the source code is another attack vector,” he says. “It’s critical to make sure developers have access to all the repos they need, but too many companies fail at terminating access as people leave the company or change teams.”
Keffeler echoes Bisson’s comments that supply chain security plays an essential role in the management of open-source software. “Open-source software is critical already in many enterprises,” he says. “This rise in supply chain attacks is a direct result of companies ignoring this piece because it’s not their responsibility.”
He adds that when it comes to open-source software, there is a collective responsibility that needs to be shared. “If we all use it, we need to take some ownership in ensuring its security,” he says. “The nature of open source tells us that anyone can manage it. If we can address how to make that work, we can all reduce the risk these attacks pose.”