Open-source software management fails to meet security concerns

[Batu69]

A recent survey suggests that the enterprise is more reliant than ever on open-source, but failing to manage and secure it effectively.

The enterprise's use of open-source components to bolster its own software and systems is rising, but companies are failing to secure and manage it effectively, new research suggests.

 

According to Black Duck's latest 2017 Open Source 360 Degree survey, "the effective management of open-source is not keeping pace with the increase in use."

Released on Thursday, the survey, made up of 819 US and EMEA software developers, IT professionals, security experts, and systems architects, says that in the last year there has been a significant uptake in the use of open-source software with almost 60 percent of respondents saying their organizations make use of open-source community-based development.

 

Cost savings, easy access, and no vendor lock-in systems, as well as the ability to customize code and fix bugs directly all factor into their use of open-source software, and according to 55 percent of those surveyed, open-source software also boosts business innovation.

 

However, there are concerns with relying heavily on open-source components. According to the research, 66 percent of respondents worry about license risk and the loss of intellectual property through using open-source software.

 

In total, 64 percent are also concerned about the exposure of internal applications to exploit through vulnerabilities in open-source code, and 71 percent believe that open-source usage may also expose external apps to exploit.

 

In addition, 61 percent are concerned that development teams may not adhere to internal rules and practices when using open-source software.

To make matters worse, only 15 percent of respondents said their organizations have automated processes in place to manage open-source use, and almost half admitted that their companies have no formal policies in place for selecting or approving open-source software -- which can cause major black spots for security professionals.

 

Only 54 percent of survey respondents said they believed their organizations were in compliance with open-source licensing demands, only 55 percent said they kept informed of known security vulnerabilities, and 44 percent conform to internal open-source security policies.

 

The majority of respondents believe a structured process for review and approval of open source use requests, as well as a white and blacklist of approved and banned open-source components are the most crucial elements of a successful open-source policy.

 

"Companies are using a tremendous amount of open source for sound economic and productivity reasons, but today most companies are not effective in securing and managing it," said Lou Shipley, Black Duck CEO. "Today open-source comprises 80 percent to 90 percent of the code in a modern application and the application layer is a primary target for hackers."

 

"This means that exploitation from known open source vulnerabilities represents the most significant application security risk most organisations face," Shipley added.

 

The full results of the survey will be published on June 22.

Back in April, Black Duck researchers discovered "significant cross-industry risks" in the use of open-source components within financial enterprise apps, with the majority of software containing unpatched open-source bugs and vulnerabilities -- some of which being over four years old. An average of 52 vulnerabilities was discovered per app.

 

Article source

[straycat19]

If you are going to use open source software you can't rely on the community, you have to have your own in-house developers who can modify the software and ensure that it meets or exceeds your security requirements as dictated and verified by your security team.  Some enterprises only use it because they are cheap and have neither developers nor a security team.  In the long term they are betting they can get away with this concept without anything bad happening, like they get hacked, their data stolen, the company  gets fined and sued, and then goes out of business. 

[edwardecl]

Pretty much, the only chance you have of software being secure is if you've done it yourself and you never make the program public that at least prevent hackers using known exploits, not only that your software could even be less secure than a well established system. but if it's not used anywhere else how would hackers know what to exploit in the first place without being detected.

If you use off the shelf software then expect off shelf hacking tools to break it.