Development teams can easily use a hundred or more different open source libraries, frameworks, and tools along with code snippets copied off the Internet when building an application. Research shows that few organizations have or enforce policies regarding open source software security. This lack of control and code maintenance poses a major threat to enterprises.
In this video, Michael Cobb, the managing director of Cobweb Applications, discusses the risks involved in using open source software and how IT security and development teams can work together to ensure best practices for secure development.
"Despite the Heartbleed flaw and the issues of maintaining critical open source projects, open source is still seen by many as the best approach to producing reliable and secure code," says Cobb.
When an open source project is well run and funded, the code scrutiny is second to none, according to Cobb, who notes that seven code updates are submitted per hour for the Linux operating system. Oracle, IBM, Hewlett-Packard and Samsung are among the 180 enterprises that together contribute more than half a million dollars annually to the non-profit Linux Foundation.
"Many open source projects vital to the security of the Internet have nowhere near this level of funding or developer input," cautions Cobb. Managers should set clear parameters for open source code usage including business case, quality of support forums and documentation, acceptable licenses and code quality.
Enterprises with mature software security operations often have a board-appointed senior executive who leads the security efforts, according to Cobb, who cites the findings in the Building Security In Maturity Model study. A Software Security Group that manages the development program is another best practice. With this approach, software security is viewed as an integral part of the business and a necessary expense in the organization’s governance processes.
Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He co-authored the book IIS Security and has written many technical articles for SearchSecurity.com and other leading IT publications. He was formerly a Microsoft Certified Database Manager and a registered consultant with the CESG Listed Advisor Scheme (CLAS).