Flash Read

Don’t let open source become open sores


October 1, 2020
min read
A rainbow colored open sign on window

Open source, as a concept, seems to encapsulate the best of what the internet was intended for—a truly global teamwork-makes-the-dreamwork coding hivemind built on the principle that information should be shared.

It’s a valuable tool for enterprise and amateur coders alike: enterprises make aspects of their code open source, and an aspiring developer on the other side of the world can discover flaws in that code or suggest improvements while simultaneously honing their technical skills. 

Perfect, right?

Of course not. 

The open book of code that makes up open source libraries also means that whoever desires can peruse those pages purely to find — and exploit — vulnerabilities. Open source is full of these proverbial ‘unknown unknowns’. 

The communities running open source code databases are, of course, aware of this, and leverage the community hivemind to discover weaknesses and turn some of those ‘unknowns’ into ‘knowns’ by releasing crucial ‘patches’. The key for those using this code in their software is implementing those patches before the bad actors get in. 

It would be brilliant if the organizations using open-source code simply had to turn on auto-update and leave their devices connected to wifi overnight to implement these patches. 

However, organizations tend to have geological tech stacks that are formed with layers and layers of code from different eras. Each one of those layers could feature tiny pieces of code from dozens of open source libraries. If one of those libraries becomes compromised, would anyone in IT even remember if they used it? Each instance of open source across the whole code stack could turn into an open wound that, left untreated, could fester into a big problem for the whole organization.

Keeping track of the ‘Software Supply Chain’ that forms the code stack is near impossible for teams relying on human oversight. Just because Hollywood Hackers spend Red Bull-fueled nights searching open source libraries for vulnerabilities doesn’t mean the security team can operate 24/7. 

It’s a wide issue that needs to be addressed before the tentacular reach of Big Data accelerates beyond the reach of organizations, who may find their data silos are actually about as leak-proof as the White House. Thankfully, awareness is being raised due to efforts such as the Open Source Security Foundation (OSSF), which brings leaders from across industries together with the common goal of increasing knowledge, creating guidelines, and delivering solutions that prevent open source security issues.

Though we’ve seen DevOps adoption rise over the last few years to enhance cross-team continuous development efforts, embedding security into that collaborative effort seems to be proving problematic. Not from a tech standpoint. That might be the easier fix. The problem seems to stem from an internal culture stalemate. Dev and Sec simply don’t want to be teaming up to form any kind of common language or goal (though here’s a handy guide to how that might be overcome).

While that’s a problem that needs some innovation and real-talk to fix, a number of vendors have stepped up to push security into that category, offering external DevSecOps tools specifically to tackle open source security (OSS). 

GitHub, perhaps the apogee of the open source community, has developed a suite of tools that automate security detection and deployment (including the reassuringly named ‘Dependabots’) and recently joined the OSSF. Synopsys stands alone in the top right corner of the Gartner Magic Quadrant in the category Gartner calls ‘Application Security Testing’, offering ‘end-to-end’ integration of automated security tools, from training through integration to management. 

HCL Software is named in the ‘visionary’ section of that same Magic Quadrant, and offers an affordable yet robust-sounding tool suite meant to augment the DevOps process called ‘OneTool’. Contrast deploys an ‘Intelligent Agent’ to detect and scan open source libraries within codestacks, enforcing custom policies in real-time. WhiteSource is aimed at those who are specifically seeking out open source libraries for development, and, frankly, has the nicest looking website. 

Maybe, if DevOps can find a way to fit security into a loving embrace and truly form the desired DevSecOps, and with the toolkit, auto update might just be possible after all.

Access data and intelligence from thousands of verified technology CxOs, VPS, and Directors, while engaging in compelling conversations about what's top-of-mind for tech leaders today.

Join the Pulse Community

Join the executive community

Make and shape business decisions with tried-and-true advice and benchmarks from technology leaders

Executives powering Pulse

“With its survey data, Pulse skips the anecdotes and provides deep context and real numbers for the topics that are top of mind for my organization.”
Julie Cullivan photo
Julie Cullivan
Chief Technology and People Officer, Forescout
“Pulse beats any other platform, research company, Slack groups, etc. at getting me the most relevant advice and content. I rely on Pulse for all knowledge and insights. The answers are consistently exactly what I need.”
Roberto Torres photo
Roberto Torres
CTO, Taimingo
“What the IT community has needed is a vendor free, agenda free platform which encourages discussion and debate amongst peers. Pulse has nailed that in both their Q&A and timely reports.”
Lee's headshot
Lee Vorthman
CSO, Oracle
“I love that Pulse is a one-stop shop for all the peer conversations and insights that are presently super scattered and disconnected among various Slack channels and other CIO groups.”
Enrique Jenkins photo
Enrique Jenkins
Head of IT, DoorDash
“Being able to drive discussions on new tech with my peers and getting immediate feedback is exactly what has been missing until Pulse.”
Manjit Singh photo
Manjit Singh
CIO, Toyota
“For the past two weeks, the first news source I check [every morning] is Pulse. I look at Focused Five everyday. Pulse first, then Twitter, etc. You're that good.”
Miguel Borbolla Olea photo
Miguel Borbolla Olea
Director of IT, OCESA
“I’m excited for what the Pulse team have built to better connect the CIO community. It’s been exceptional for many of us in the community to get clarity and aid decision making as we develop our strategy.”
Yusuf Khan image
Yousuf Khan
CIO, Automation Anywhere
"Transformative change and real-time insights can only come from the people who are doing it day to day in an innovative way. I get a wide variety of that insight from Pulse."
Malcolm Harkins photo
Malcolm Harkins
Chief Security and Trust Officer, Cymatic