Open-source adoption is growing, but with that growth comes greater risk, according to several leading companies that supply open-source licensing and maintenance software. Some open-source applications have been updated for years to account for new security threats, but companies, for various reasons, have not internally updated their software stacks, leaving them vulnerable.
Security threats in open-source software have many layers, according to Mahshad Koohgoli, CEO of Protecode. Vulnerabilities present themselves in components that do not have user interfaces, leaving them largely invisible to the user, he said. Additionally, it is up to the company to ensure monitoring of communities and public databases, like the National Vulnerability Database run by the Department of Homeland Security, to be aware of the newest patches and bug fixes. This, he said, is most effectively done by maintaining a good record of open-source components (or a “bill of materials”) used in company software products.
Yet in a recent survey, open-source software provider Sonatype found that out of 2,500 developers, architects and IT managers, only 32% of project teams maintain a detailed record of the open-source components in their software stacks.
Peter Vescuso, executive vice president of marketing and business development at Black Duck software, and Hal Hearst, senior director Olliance Group (a Black Duck company), said that this bill of materials is best maintained when someone within the company is assigned ownership, and when the company works with the open-source community.
Vescuso said that by engaging the communities around open-source components, companies can have a better chance of staying on top of updates. He added that some of his clients would say that open-source software is more secure because of the amount of times it has been tested and reviewed by countless other developers before making it into the enterprise.
The Sonatype Open Source Software Development Survey also found that only 50% of those surveyed said their company has an open-source policy, said Charles Gold, chief marketing officer of Sonatype.
Hearst said that enterprise IT departments need to work with developers to maintain a strong, cohesive strategy. The strategy may mean working with developers to allow open-source software into the company without restrictions, or in some cases, developers may have a strong feeling toward a particular program, and IT needs to work with that if that is what is best for business objectives, he said.
Gold said that developers, for the most part, take different portions of open-source code and then write their own custom code on top of it. In fact, he estimated that 80% of all applications are built this way.
Koohgoli said the best developers are spending more time changing existing portions of software to fit their needs, rather than creating packages from scratch.
Hearst and Vescuso advised companies to establish a method for determining why they are using open-source components before building their applications.