Open source software (OSS) embodies more than Linux and other commonly used enterprise applications (e.g., SugerCRM, Pentaho, Open Office). It’s the thousands of no-name components that are causing open source security concerns. At the heart of most applications today, open source components relieve developers from reinventing the wheel. Why develop software for object relational mapping when you can use Hibernate? Or create compression software when you can utilize zlib?
Unlike commercially supported OSS operating systems and packaged applications, only one out of every 10 open source projects has a commercial services community supporting it. Development organizations using OSS components are “on their own” when it comes to patches, upgrades, vulnerability assessments and similar tasks that would normally form part of a commercial services contract.
Leading organizations have effective open source software license compliance policies in place at each phase of the software development life cycle process. Selecting the best, most secure code for your needs is essential, but with more than a million open source projects to choose from, that’s not fast or easy. FlexNet Code Insight can help.
FlexNet Code Insight manages OSS license compliance and vulnerability risk by automating the full process, including the request-to-use OSS and third-party code, scanning and reconciliation of actual to requested content, production of compliance documents and ongoing vulnerability scanning and intellectual property alerts. Its robust compliance library includes over 12.9 million open source components and over 2.5 million automated detection rules as well as integrated request and authorization workflow.
FlexNet Code Insight’s special purpose search engine is optimized for analysis of source and binary files. Users get accurate and timely results whether the requirement is for a quick search for top level issues or a detailed analysis. It’s detection of open source software is based on a comparison of the target code base with the contents of the Compliance Library, a large database of continuously updated open source projects including version and license information.
Developing an Open Source Security Strategy
It is the responsibility of security, development and IT teams to ensure that their developers use processes that produce secure software. Working together, these three departments can effectively insert application security for open source into the overall security strategy by:
- Conducting pre-deployment code-level security reviews and penetration tests for their internally developed code
- Insisting that code-level audits be conducted by outsourced development and business partners
- Ensuring that all other third-party code included in their software applications is identified and tracked for security flaws and updated version information
- Safeguarding that internally developed applications have adequate checkpoints that enable thorough audit trail
Development organizations must continue acquiring the high level of security expertise mandated. They must also identify processes for producing secure software, adopt them, and consistently use them when they produce, enhance, maintain, and rework the software supporting a strong application infrastructure.
Find out more…
To find out more about improving open source security in your organisation using FlexNet Code Insight please complete the form below.