(In)security in Open Source

Even great approaches to software can have challenges.

The question is how we address them.

Open Source is Massive

Open Source is everywhere

in embedded, mobile and

enterprise computing.

According to the leading

survey of Open Source

market adoption, 43% of

companies find it more

competitive than

alternatives, 43% find it

easier to deploy and 58%

find it has the greatest

ability to scale.

It exists in every sector and

adoption is growing

Reference: Black Duck 2015 Future of Open Source Survey

78%78% of surveyed companies run on Open Source and less than

3% do not use Open Source in any way.

Reference: Black Duck 2015 Future of Open Source Survey

89%89% of surveyed companies said that Open Source impacts the

speed of innovation and improves time to market for new

products.

Reference: Black Duck 2015 Future of Open Source Survey

What’s the catch?

Open Source and Security

There have been significant vulnerabilities discovered in widely

used open source components.

Each was present in applications tested using static and dynamic

tools for years without being detected.

They were disclosed by security researchers conducting manual

code reviews.

This Matters

This Matters

“Through 2020, security and quality defects

publicly attributed to OSS projects will increase

significantly, driven by a growing presence within

high-profile, mission-critical and mainstream IT

workloads.”

Gartner, Road Map for Open-Source Success: Understanding Quality and Security, Mark Driver, 3 March 2014.

This Matters

The DROWN attack left more than 11 million

websites using OpenSSL at risk.

http://thehackernews.com/2016/03/drown-attack-openssl-vulnerability.html

This Matters

IoT breaches expose infrastructure like the recent

hack of a bus arrival information screens in Korea

to display pornography.

http://m.chosun.com/svc/article.html?sname=news&contid=2016042601303

Open Source Security is a big deal

What Do We Do?

There are a lot of process documentation and tooling options

available for Open Source licensing compliance.

We are only starting to see the emergence of similar process

documentation and tooling for Open Source security.

Actually, most companies do not use any yet.

67%67% of surveyed companies said that they do not monitor Open

Source Code for security vulnerabilities

Reference: Black Duck 2015 Future of Open Source Survey

The Community Evolves

This is obviously not an area that can remain neglected for long.

New connected segments that substantially depend on Open

Source like IoT and Smart Infrastructure mean that we cannot

ignore security any longer.

The Community Adapts

The global Open Source community has dealt with improving

processes and tooling before.

The basic approach is to identify the core problems, decide what

needs documenting (processes) and what can be automated

(tooling), and then collaborating to create deliverables.

Improved Security in Open Source is Coming

Projects like the Core Infrastructure Initiative at Linux

Foundation have emerged to both explain key processes and

coordinate funding to address security issues.

Vendors and projects around the world are gradually building

tooling to help with Open Source security analysis and

monitoring.

Will 2017 be different?

Maturity Will Bring Increased Choice

In Open Source license compliance we have a lot of choices

around process documentation or automated tooling.

There is generic process material from FOSS Bazaar, specific

package description material from SPDX, or supply chain

management material from Open Chain. For automated tooling

there are products like the Binary Analysis Tool, Black Duck

Protex or Protocode and community projects like FOSSology.

The same will type of choice will apply to Open Source security.

Improved Security in Open Source is Coming

You can expect the emergence of best practices for generic Open

Source security, specific material to address development

problems, and other material to assist with supply chain

challenges.

On the tooling side you can expect the emergence of a range of

solutions to support requirements. We have already seen the

beginning of this from both security vendors and companies that

traditionally focused on license compliance issues.

Security

Open Source is no safer or

more dangerous than any

other type of software if

used without good

processes and best practices.

However, if good processes

and best practices are

applied, Open Source has

the potential to be more

secure than anything else.

is what you make of it

Open Source has some security challenges

It is still as secure as proprietary software

But it can be substantially better as more best practices emerge

You can be part of the solution