Open source software (OSS) embodies more than Linux and other commonly used enterprise applications (e.g., SugerCRM, Pentaho, Open Office). It’s the thousands of no-name components that are causing open source security concerns. At the heart of most applications today, open source components relieve developers from reinventing the wheel.
You might remember Heartbleed and the Equifax Breach but in 2017 nearly 20,000 vulnerabilities were recorded by Secunia Research, a division of Flexera Software, and you don’t want to leave the door open to hackers by shipping software with vulnerabilities.
Knowing what you have will help you mitigate this risk:
- Receive alerts on OSS vulnerabilities affecting your products
- Mitigate the risk based on risk exposure scores
- Send updates and patches out quickly
To ensure security in the software supply chain, you need to minimize the risk of shipping products to customers with unpatched vulnerabilities.
There is the massive amount of undocumented open source code used in virtually all software. Flexera Software estimate that as much as 50 percent of the code in software is open source and other third party code – and it’s not being proactively tracked and managed. In fact, most developers are only aware of about 4 percent of the open source code in their products.
Do you have the necessary automated processes in place to minimize your vulnerability risk?
Scan! Scan! Scan! Scan for open source and third party components and vulnerabilities every time you do a build of your software – vulnerabilities can slip through the cracks and create risk! You also need an end-to-end solution for your development, legal and security teams to set and manage policy for use of open source and third-party software.
FlexNet Code Insight manages open source software vulnerability risk and license compliance by automating the full process, including the request-to-use OSS and third-party code, scanning and reconciliation of actual to requested content, production of compliance documents and ongoing vulnerability scanning and intellectual property alerts. Its robust compliance library includes over 13 million open source components and over 2.5 million automated detection rules as well as integrated request and authorization workflow.
Software Vulnerability Management
Software Vulnerability Management is the integration of security processes and policies with software acquisition, development, administration and IT operations practices to reduce vulnerabilities and mitigate exposures, before you get hacked.
The gap between when vulnerabilities are disclosed, and when they are identified and fixed in applications creates a risk window that hackers can exploit, which leads to costly breaches.
Flexera’s Software Vulnerability Management solutions protect your business by closing this risk window. It helps IT Security, IT Operations, and Development teams collaborate to:
- Create effective software vulnerability management and security patch management processes that mitigate security risk.
- Identify Open Source Software in your code and assess the associated security risk.
- Track vulnerability intelligence to effectively mitigate the risk of exploitation and its consequences.
Open Source License Compliance
Leading organizations have effective open source software license compliance policies in place at each phase of the software development life cycle process. Selecting the best, most secure code for your needs is essential, but with more than a million open source projects to choose from, that’s not fast or easy. FlexNet Code Insight can help.
FlexNet Code Insight’s special purpose search engine is optimized for analysis of source and binary files. Users get accurate and timely results whether the requirement is for a quick search for top level issues or a detailed analysis. It’s detection of open source software is based on a comparison of the target code base with the contents of the Compliance Library, a large database of continuously updated open source projects including version and license information.
Developing an Open Source Security Strategy
It is the responsibility of security, development and IT teams to ensure that their developers use processes that produce secure software. Working together, these three departments can effectively insert application security for open source into the overall security strategy by:
- Conducting pre-deployment code-level security reviews and penetration tests for their internally developed code
- Insisting that code-level audits be conducted by outsourced development and business partners
- Ensuring that all other third-party code included in their software applications is identified and tracked for security flaws and updated version information
- Safeguarding that internally developed applications have adequate checkpoints that enable thorough audit trail
Development organizations must continue acquiring the high level of security expertise mandated. They must also identify processes for producing secure software, adopt them, and consistently use them when they produce, enhance, maintain, and rework the software supporting a strong application infrastructure.
Find out more…
To find out more about improving open source security in your organisation using FlexNet Code Insight please complete the form below.