If you’ve read or watched the news at all in the last five years, you know that securing software is challenging. And in today’s world, developers are shouldering a big part of this challenge. Here lies the conundrum. Developers are in the best position to secure code, but security is often not one of their priorities. With the shift to DevOps in recent years, development is all about speed of delivery, which means moving quickly and relying on open source code, and which often comes into conflict with the goals of security. In many cases, this had led to a “patch and pray” model – where organizations patch vulnerabilities when they hear about them, and then pray it wasn’t exploited in the window between discovery and patching. But this doesn’t have to be the case. We can take advantage of open source libraries and move at the speed of DevOps without relying solely on a reactive security model.
However, we do need to acknowledge that open source has changed the security game. Just the sheer numbers are landscape-altering. At SourceClear, we’ve found that most companies have more open source code than internally developed code – in many instances, in fact, the open source share is up to 90 percent. In terms of security, this means that the attack surface has changed dramatically. In this environment, it becomes critical to ask four questions:
1. What open source code are you using? (Hint: It’s more than you think.)
2. Where did it come from? Should I trust it?
3. What does it do?
4. What vulnerabilities are present?
Ultimately, control over what is in your code has changed. Today, you need new security solutions to reduce risk in this new environment.
Join me in person this month to dig further into this problem, and its solutions. I’m hitting the road for our “Open Source Conundrum” roadshow beginning November 27. Find out when I’ll be in a city near you, and stop by to network with peers and get some solid advice on this challenging security issue.
*** This is a Security Bloggers Network syndicated blog from RSS | Veracode Blog authored by email@example.com (mcurphey). Read the original post at: http://www.veracode.com/blog/managing-appsec/open-source-conundrum