On this edition of the SecurityIntelligence podcast, we’re tackling the paradox of open source security. Sharing their expertise are Rami Elron, senior director of product management at WhiteSource, and David Marshak, senior offering manager for application security at IBM Security. Both Elron and Marshak are industry veterans with deep knowledge of open source issues, advantages and future trends.
The Paradox of Open Source Security
According to Elron, open source “accelerates productivity in a way that’s impossible with proprietary software.” The caveat is that when vulnerabilities emerge, they’re almost instantly made public, allowing threat actors to easily leverage them in the wild.
The result is a security paradox: Open development and wide implementation streamlines the development process, but also paves the way for attackers. With open source now accounting for 80 percent of all code used by companies — up from 30–50 percent just 10 years ago — Elron makes it clear that the accompanying “surge in security vulnerabilities” demands a new approach.
Changing Concerns, Changing Questions
Open source vulnerabilities are gaining publicity, data breaches are on the rise, and data privacy is paramount. For Elron, this challenges organizations’ ability to handle open source security and requires a different mindset to address emerging concerns. He suggests asking some new questions, including:
- Who’s responsible for selecting open source components?
- Who owns responsibility for security?
- Which teams are in charge of integration and use?
- What policies are required to ensure consistent adoption of best practices?
Elron doesn’t pull any punches; the potential risks of open source attacks are “numerous and severe” and include everything from system impact to reputation impact. In particular, he points to the increasing risk of identity theft.
What Is the Future of Open Source?
According to Elron, the future of open source demands special tools and automation processes that work in conjunction with human experts. By sharing the onus for security among various teams, departments and executives; prioritizing defense based on the effective risk of vulnerabilities; and implementing security as early as possible during the development cycle, companies can better defend their network without losing the benefit of open source alternatives.
The open source paradox isn’t going away. Collaborative code boosts efficiency and functionality but will always come with inherent security risks. To manage emerging open source security issues, companies must immediately begin implementing new strategies.
If you enjoyed listening, don’t forget to subscribe so you never miss a new episode. Please also consider rating the podcast or leaving your feedback on iTunes or wherever you listen.