5 Techniques to Protect Open Source Software

Open source software brings many benefits to the modern business environment. And, in terms of security, the more developers involved in open source software, the better—arguably, there’s a better overall security foundation if there are more eyes to spot flaws. As such, software supply chain issues and vulnerabilities around popular open source packages continue to be prevalent concerns.

I recently met with Ian Tien, CEO, and co-founder of Mattermost, to understand some general techniques organizations should consider to protect modern open source software. According to Tien, who recently spoke on this subject at Collision Conference, open source shines in resiliency, transparency and value efficiency. Yet, any useful system has its share of vulnerabilities. Below, we’ll look at five ways IT can work to secure its commitment to open source software to create safer end systems and applications.

1. Be Part of the Open Source Community

Organizations have an ethical responsibility to help contribute to the open source projects they consume. Not only that but there is a business imperative to maintain the integrity of your software supply chain whenever vulnerabilities are spotted.

Thus, if you see something in a project looking loose, it’s important to do the right thing and actively report the issue, said Tien. For example, he recounted how the Mattermost team spent months preparing a coordinated disclosure around significant vulnerabilities the team discovered in Golang. For organizations with the resources to help, being an active open source consumer means helping maintain the safety of the project.

2. Encourage Knowledge Sharing

The power of open source shines when the community works together. Thus, knowledge sharing is integral to cybersecurity practices, where only through coordinated response can many organizations actively respond to critical vulnerabilities and exposures simultaneously. According to Tien, being a good actor in open source is the economically correct thing to do—”the more you give away, the more you keep.”

Furthermore, security knowledge should be dispersed throughout the development life cycle. “I think there is not a single place where security should be within the software development life cycle, but instead, it should be integrated across it,” added Daniel Schalla, head of security at Mattermost. “This aligns with the idea of shift left, where security is integrated early in the life cycle, which increases the chance to spot issues early on, which can decrease remediation cost and overall reduces the risk of introducing vulnerabilities.”

3. Have a Responsible Disclosure Policy

“No system that is useful can ever be fully secure — there’s always going to be vulnerabilities,” said Tien. “You can only move them around.” Since vulnerabilities are an ever-present threat, the best approach is to accept that your platform or application will contain some and streamline the means for third parties to report them.

Therefore, Tien advocates for all software providers, whether startups or enterprises, to have a Responsible Disclosure Policy (RDP). This policy can outline a standard mechanism for security researchers to report bugs. This might take the form of an incentivized bug bounty program or simply outline the best way to disclose threats for those not seeking profit. Regardless, having an RDP is a first step to ensuring that any software consumer can easily report any unknown holes.

“Security vulnerability handling is a lot about collaboration and communication,” said Schalla. “The most important step is to establish a process to follow, and standardize how and what you are communicating to customers.”

4. Know Your Attack Surface

You can’t protect what you don’t know. And unfortunately, most large enterprises have a high degree of tech debt, shadow IT and zombie APIs which may not be fully accounted for. Therefore, to protect all digital holdings, an organization must take a comprehensive account of its potential attack surface and create data flow diagrams, said Tien.

Tien pointed out that the gold standard of security is made up of authorization, authentication and audit. Auditing your surface area is foundational to cybersecurity, and organizations will want to utilize tools to analyze and identify categories of issues, said Tien. Auditing software components is becoming an increasingly important target as pressure mounts for software vendors to disseminate software bills of materials (SBOMs) to partners.

5. Use a Fully Contained SecOps War Room

A limited few must coordinate a quick remediation response when a vulnerability is discovered within an open source package. This could be to fix a bug or to issue a disclosure report to a consumer base. In these high-stress situations, the last thing a team needs is a breach of privacy, said Tien. As such, he advocated for security researchers use of a fully contained security operations “war room” to conduct their coordination.

“There should be a black tent you can put out, and only you and the people you chose can go under the tent to hear what you have to say,” said Tien. Such a self-hosted encrypted war room would be the ultimate “tin foil hat” to ensure that no man-in-the-middle or AI scanner is picking up confidential information, he said. Sometimes, security researchers may literally be dealing with nation-state-level security secrets, amplifying the need for discretion.

Whereas some security operations teams may seek to meet in person, the recent trend toward remote work has certainly shifted the need for a digital war room for incident management. “When you need it, you can have total privacy and control on your own terms,” said Tien. Another benefit is such a tactic can loop in remote globally based researchers on the same dashboard.

Reasons To Protect Open Source

The strategies above only scratch the surface of what it takes to secure open source software. At the end of the day, we can reduce the number of vulnerabilities present within open source packages—but we cannot eliminate them all. “The number of things people can trust without fail is decreasing,” said Tien.

That being said, there are ways software providers can navigate the never-ending barrage of new exploits. One way is by reinforcing their commitment to the open source software community through increased security awareness and reporting. This commitment really is becoming non-negotiable since 90% of enterprise IT leaders are using open source. Open source packages are also extensively leveraged in cloud-native architecture.

And although the effort to conduct security research and prepare a disclosure may seem extensive and lack a direct business benefit, the bigger picture is so great that it makes sense, as Tien described. Contributing to open source security can differentiate a company in the marketplace and showcase additional value to customers, he says.

Avatar photo

Bill Doerrfeld

Bill Doerrfeld is a tech journalist and analyst based in Seattle. His beat is cloud technologies, specifically the web API economy. He began researching APIs as an Associate Editor at ProgrammableWeb, and since 2015 has been the Editor at Nordic APIs, a high impact blog on API strategy for providers. He loves discovering new trends, researching new technology, and writing on topics like DevOps, REST design, GraphQL, SaaS marketing, IoT, AI, and more. He also gets out into the world to speak occasionally.

bill-doerrfeld has 22 posts and counting.See all posts by bill-doerrfeld