Open-source software enables better security for both large and small organizations. It is the foundation of today’s society and is found throughout a modern application stack, from the operating system to networking functions. It’s estimated that around 90% of organizations use open source in some way, according to GitHub’s 2022 Octoverse report.
Open-source software can be examined by everyone, both attackers and defenders. But this does not necessarily give attackers the upper hand. Rather, it offers defenders the chance to lower the cost of defense, boost collaboration and ensure many “eyes” are working together to spot vulnerabilities. Security will always be front of mind for businesses, and open source and its collaborative nature have the power to drive new ways of protecting against evolving security threats.
Prevention is better than cure
Dutch philosopher Desiderius Erasmus famously said that “prevention is better than cure”, and nowhere is that truer than in cybersecurity. Here, the speed and agility of open source come into play.
As more and more organizations use open source, there’s a force multiplier effect at work. If multiple large cybersecurity teams are going through the code for commonly used open-source software, it is more likely that problems can be anticipated and dealt with. Instead of there being a single team looking for bugs and exploits, open source throws this process open to the world. Open-source code is visible to the public, and thus anyone can find bugs developers may not have noticed.
As a widely adopted and effective tool, open-source threat intelligence helps businesses identify all risks, vulnerabilities, and growing threats to safeguard the valuable data assets of the organization. For companies choosing open source, this becomes collaborative, with multiple organizations and individuals having a stake in ensuring that security is kept tight and up to date.
Alongside open source, businesses should adopt further best practice measures for secure software, such as code reviews, scanning for vulnerabilities, visibility into the system and knowing the attack surface – just a few ways that code, packages, and systems can be evaluated for security. Building on this, bug bounty programs have become a fact of life for large technology companies, offering individuals recognition and compensation for reporting security vulnerabilities and design flaws.
Boosting security with third-party tools
Organizations are optimistic about the security of open-source software development, with an average of 77% believing the security of open-source development will improve by the end of 2023, according to a 2022 Linux Foundation report. Many also believe that their security strategy will be boosted by more intelligent security tools from vendors.
On average, organizations in the report used two to three security testing tools to identify vulnerabilities. Generally speaking, using more tools is advantageous, given that they all add value in different ways. Third-party tools offer scalability and automation potential – with SCA (software composition analysis) tools proving to be the most useful, according to the report, enabling organizations to identify license issues and vulnerabilities across a portfolio of components and dependencies, in a highly automated way.
We also see more organizations using increased automation to reduce attack surfaces, alongside security audits. By automatically exploring open-source dependencies in apps, businesses are provided with valuable information and critical versioning and trigger alerts to identify policy violations. Then they automatically monitor, alert and block attacks in production, targeting any open-source component’s vulnerability enabling organizations to take quick action. Using such tools to find vulnerabilities works. Often, where a vulnerable dependency is downloaded, there is a non-vulnerable version available.
The development of open-source security
This year has seen moves by governments and Big Tech companies to ensure the security of open-source software, with the OpenSSF (Open Source Security Foundation) announcing initiatives to improve the security of open source software, including a $30 million fund with a 10-point plan to boost the security of open source software.
This global focus on security in open source is likely to only increase next year, with organizations facing continued geopolitical risk and attacks on supply chains. There will be an effort by developers to halt these attacks, along with increased collaboration between organizations to boost open-source security.