Open source software and security




















Big Tech basically advised the White House that this kind of software should now be under close watch, as it could pose a potential threat to national security. Kent Walker, who serves as the President of Global Affairs and Chief Legal Officer of Google, stated that open-source programs are no longer that secure, which is a direct opposite of how the public has viewed it over the years.

Originally, open-source code was seen as secure because it is transparent, with "many eyes" watching it to detect, analyze, and solve any problems. But Walker argues that while some projects are indeed closely monitored, others barely have anyone or anything overseeing them. National security advisor Jake Sullivan agrees. He described open-source security as a critical national security issue, in a report by The Verge detailing the meeting between the White House and Big Tech.

This news comes after the Biden administration called for the improvement of the United States' cybersecurity infrastructure back in August of last year.

In the wrong yet capable hands, open-source programs can do far more damage than you think. This is actually why numerous developers of these programs have clamored for official regulation for years. There are multiple risks posed by this kind of software, according to Infocyte. The Linux Foundation has registered trademarks and uses trademarks. Linux is a registered trademark of Linus Torvalds. Privacy Policy and Terms of Use.

Press enter to begin your search. Close Search. Securing the open source ecosystem. Invite them to design reviews and include them in sessions when high-risk changes are being made. Build a security-first culture. Your organization must focus on more than just bringing developers and security together, but also ensure that effective security practices are built into everything you do. The best fixes and the best alerting mechanisms in the world cannot resolve poor security practices. The Equifax breach for example, attributed to vulnerable versions of the open source software Apache Struts, is a case in point.

Since the well-publicized breach in , companies are still downloading the vulnerable versions of the package despite the fact that a patch is available. The patch was also available two months before the Equifax breach and has been issued multiple times since. In DevOps culture, security discussions must happen early and often throughout the software development lifecycle and beyond.

Fortunately there are tools to help you evaluate and provide confidence around the security of the open source software you are using in your applications.

Two tools that provide enterprise-ready end-to-end solutions for managing open source risk are Black Duck and Sonatype Nexus. Note that these solutions are not overnight fixes and will take time to integrate.

There are also free tools for assessing the risks in open source software and containers. Many open source software packages utilize free static analysis scanners and the results are available for everyone to inspect.

You can find them on the project page. Similarly, if you are using Docker containers in your DevOps practice, you can take advantage of Docker Security Scanning results of official images hosted by Docker and use the same technology to scan your own private repository images.

Proven to build cloud skills.



0コメント

  • 1000 / 1000