SBN Free Software, But No Free Lunch

“This is a very important issue. Enterprises are not taking necessary precautions,” our SVP of Strategy and Corporate Development, Bill Karpovich, noted when talking about Fortune 100 cybersecurity.

“This is a solvable problem,” he continued, in an interview on Cheddar TV last week.

The revelation? Approximately 30% of the Fortune 100 companies still use the software component responsible for a massive data breach two years ago.

To understand why, Bill explained that today’s software is assembled like Lego building blocks. Up to 90% of manufacturers use open source components. These components provide tremendous benefit and are the foundation of proprietary software – but do come with risk.

“There may be free code, but not a free lunch,” summarized Bill on the potential drawbacks of open source software in the manufacturing process. Our research agrees. 1 in 4 enterprises admitted they experienced a breach, or attempted breach, last year.

To combat malicious actors, manufacturers must introduce cybersecurity practices earlier in the process. “Shifting left” means an open source component is evaluated before it enters a development environment – or at the very least, right from the start. The same component must also be examined and tracked throughout the software’s lifecycle, too.

Network security is important, but no longer the only entry for criminal intent. “The reality is,” said Bill, “the threat surface is the software itself.”

Bill recommends manufacturers embrace two primary defense mechanisms.

  1. Use software tools built to analyze open source software components 24/7. This can stop misbehavior at the door, before a compromised component even enters the enterprise. Software, like our Nexus Platform, automatically tracks components throughout the software lifecycle. Proper monitoring reduces bad parts from entering the software supply chain and identifying parts immediately, if they go bad down the road.
  2. Enterprises must move faster. A bit (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Katie McCaskey. Read the original post at: