The open-source idea initially did not inspire much trust in organizations, primarily due to concerns about code quality and security. Regular work on open-source software PR has led users to understand its importance, and even to recognize its advantages over commercial solutions. Today, most companies worldwide use open source, although not all approach it safely. Only 46 percent of organizations have internal instructions, checklists or guidelines for using OSS, and training for developers in secure software creation is required in only about a quarter [1]. Perhaps it is this lack of awareness that causes most companies to selectively approach open source risk analysis, thereby exposing themselves to cyber attacks. How can this be changed?
How do organizations ensure OSS safety?
International reports show that companies address open-source software security analysis in a limited way. The most common actions taken before using a new component include checking the activity level of the project community (50 percent responses), examining direct code dependencies (42 percent), and checking repository ratings or download statistics (42 percent) [2]. Less than 40 percent of organizations pay attention to the frequency of new releases and assess code using automated tools. In a study conducted by The Linux Foundation, only one in four people admitted that they check the project in terms of the company’s risk policy.
As Dariusz Świąder, CEO of Linux Polska, emphasizes, the data leaves no room for illusions – most organizations worldwide do not have an appropriate, comprehensive strategy regarding open-source security.
– What is certainly visible in the research is a lack of awareness about risk factors related to organizations’ use of open-source software. Companies rarely approach this problem strategically, for example, by implementing appropriate procedures and educating the project team in cybersecurity. When it comes to analyzing a particular component or open-source solution, some risk factors are thoroughly examined, while others are completely ignored. The cause of this approach often lies in financial matters – conducting the analysis independently requires significant time resources and highly developed skills, which results in high costs. To help organizations conduct a more comprehensive threat assessment, we created SourceMation – a platform that enables rapid and automated code quality analysis, vulnerability of the solution and many other factors that should be considered while studying the risk of open-source software. The platform supports the DevSecOps value chain, providing organizations with valuable information in the process of detailed analysis of the implemented project – adds Dariusz Świąder, CEO of Linux Polska.
Not just code flaws. There are many more risk factors
Experts have no doubt – the verification of open-source software safety should consider many different aspects, and ignoring the most important ones means exposing the organization to cyber attacks. In addition to the standard code analysis for identifying errors that increase the software’s vulnerability to attacks, it is also necessary to examine the entire project environment. One must consider the possibility of delays in delivering security patches, withdrawal of support by authors or lack of support for zero-day threats. The risk of changes in licenses is also significant, resulting in incompatibility or restricted access to the code. Open source creators may at any time decide to close the code, which despite criticism from the open-source community, sometimes actually happens.
The unstable geopolitical situation in the world is also increasingly affecting the way open-source software security is verified. Therefore, risk analysis should also include the geographical origin of the code and information about its creators. Examination of these factors helps to secure the organization against, for example, the introduction of malicious code by foreign entities or an attack on the software supply chain. As Radosław Klewin, Senior Solutions Architect at Linux Polska, points out, comprehensive risk analysis is the only way to ensure the organization’s IT security today.
– Beyond identifying potential threats, every company planning to implement an open source solution should also observe changes in licenses and thoroughly analyze any weaknesses in the software supply chain. There are many factors, which not only involves a lot of work but can also cause problems in terms of the correct interpretation of the results obtained. That’s why with SourceMation, we decided to implement a simple and clear open-source software risk index that we developed based on the innovative SCARE (Software Component Analysis for Risk Engineering) method of analyzing IT solutions. The SourceMation Index presents the analysis results on a scale of 1-10, taking into account many software attributes, including project load, line count, code style and compatibility, time zone, or the level of technological debt. If there are any problems with interpreting the data, the user can take advantage of our help – SourceMation also includes an Individual Technical Support Center, created by experts in open source and IT security – explains Radosław Klewin, Senior Solutions Architect at Linux Polska.
Developing a strategy is key to success
How can you get organizations to change their approach to risk analysis related to implementing open-source solutions? Research shows that those companies that have an OSPO or have developed a clear OSS use strategy are characterized by a much more comprehensive and rigorous approach. According to The Linux Foundation report, 61 percent of them test the security and vulnerability of software before its use (in the case of organizations without a strategy, this percentage is only 26 percent), and 70 percent conduct a code review (less than half of the companies from the second group do this) [3].
There is also greater awareness of the rules for using open code. Every third employee of a company that does not have an OSPO or a strategy regarding open-source security does not know how their organization verifies the security of OSS. In the case of companies with a strategic approach, this percentage is only 5 percent.
[1] The Linux Foundation, World of Open Source, Global Spotlight 2023
[2] The Linux Foundation, World of Open Source, Global Spotlight 2023
[3] The Linux Foundation, World of Open Source, Global Spotlight 2023
Source: https://managerplus.pl/open-source-a-cyberbezpieczenstwo-strategie-ochrony-przed-zagrozeniami-38185
