As more and more companies rely on open source components in their software, securing these components becomes increasingly important.
This was the premise of a Google event today in which open source experts highlighted the many issues in securing open source software. The discussion also included topics on what companies should prioritize, and what steps to take to improve the overall status of open source security, according to Dark Reading.
Synopsys notes that the average software program relies on at least 500 open source libraries and components, a 77% growth from 298 dependencies in 2 years. More than 75% of the code in the average software application consisted of open source libraries and components, 84% of applications had at least one vulnerability, and the average application had 158.
In a talk on open source supply chain security, Google software engineer Dan Lorenc advised companies to know what they are using. He admits that this step may seem obvious but it is not easy, especially when developers start creating and publishing artifacts and combining artifacts with other artifacts.
When a vulnerability is reported, whether unintentional or malicious, not knowing what’s operating can land you in hot water.
Companies should have a Zero-day attacks prevention plan
Governance and constant auditing of new dependencies, whether internal or open source, is an effective strategy to safeguard the software.
Lorenc added that this control can also extend to the components you use, noting that this is also a difficult step for most companies. Moreover, it is difficult to verify the contents of a binary package, but it doesn’t have to be all or nothing. On the other hand, generating and compiling code is part of open sourcing. Knowing that you can construct if needed is half the battle and shows that you have control over the code that goes into your applications.
Lorenc emphasized that organizations should have plans in place to deal with zero-day vulnerabilities as well as known issues. Zero-day vulnerabilities are the colorful, exciting problems that usually make headlines, and organizations should have a contingency strategy to patch them quickly.
Then again, older vulnerabilities may not get the attention they deserve. These issues can be easily overlooked in large organizations that run a variety of environments and systems.