Companies embrace open source much more common and easier than years ago. Over three quarters of the companies have run at least some of its processes on open source software. Understanding where and how much open source contains the enterprise exactly, is often missing entirely.
67 percent of companies fail to check source code good for vulnerabilities and is therefore unnecessary risks ( Source: Future of Open Source Software in 2015). That open source code is often not checked for security, Kevin Bland is not surprising. Bland’s Channel and Alliance Director EMEA at Black Duck Software, a US company that specializes in the security of open source code. “Applications or closed (proprietary) code or open source code created. Developers use existing code rather than that they themselves will write anything.”
Many CIOs and IT people do not really know where they use within the organization open source code and what it is used. There is often lacking policies to register it properly, says Bland. Developers still may know what parts source code they use, but it lacks a clear overview. “If you want to use a particular piece of open source code, you do have to first be sure that it is safe. The lack of a clear overview or process to use open source code, components, and software simply be introduced without there is checked beforehand if everything is safe. “
To illustrate Bland compares source code to the chassis of a car. “You can build a car around it. But if the car is ready, you do not really know for sure if the chassis was all right. Unless you have a way to measure it or to go after.”
If an organization is not aware of an existing vulnerability in the code and they sell the application to thousands of customers if there are millions of online users who use it, they do not know they are at risk of becoming infected with that particular leak.
Of course you can as a company, you carry out an application penetration test, but according to Bland There are however some 100,000 vulnerabilities, and know it ‘pent workers’ self but 10 percent of it. A large part of the vulnerabilities is thus be publicly reported, but because of the large number of reports go much beyond the attention. Or as Bland puts it, “Not every leak receives media attention as Heart Bleed.”
vulnerabilities
Open source is according to Bland no more or less safe than other software. However, there are software for both types of risks. The vulnerabilities in open source and closed source are equally serious. “The problem with closed code is just that you have no control on how and when it will be fixed. You depend on the producers / developers. With open source, you have a whole community. “
Blackduck can locate or open source code is used for clients and what version it is. Also, they know inside what application or business it is in. Then, The vulnerabilities are linked to scanned open source software components reported. “We monitor source code looking for known vulnerabilities that have been reported and thereby draw from our unique database, the Black Duck Knowledge Base. We discover new leaks. We have access to a database of vulnerabilities, which is updated every day. There are 7500 public communities and forums listed on the Internet, where vulnerabilities are reported. “
Vulnerabilities are not only in complete programs like Firefox or Linux distribution, but more often just a component by developers in software is processed. A clear example is OpenSSL. Therefore, it is simply update it and just not upgrade enough to ensure that there are no leaks in the software.
Licenses
The use of open source source also certain commercial risks. This is mainly due to the software licenses used. Widely used in the open source world is GNU General Public License (GPL). “This meaning that if you pick up a piece of GPL code in your product, your product must be made open source and thus it becomes clear to everyone. “
Developers do not look so closely at the licensing, but stick to the code just in their product, says Bland. But when it comes to a piece of GPL code and software you sell, your product is open source. In addition, the AGPL license in attendance, especially in cloud services. “If you GPL used in a cloud environment, you do not make it public, but imagine it available. The AGPL license is increasingly used by the rise of cloud environments. The AGPL license basically says that if an open source component used in software distributed or used remotely in a cloud environment, that product or web application is also open source. “Many organizations are there according to Bland yet aware of.
Opportunities for Partners
Blackduck can identify such risks for customers. Although the company not so long in Europe is active, it helps clients including governments, banks and financial institutions, to understand what code they use. “We help them to scan the source code and identify the open source components. We give opportunities to find the right code but we help them not to fix any vulnerabilities in code. Therefore, our collaboration with partners is so important, “said Bland. Which may offer as a service in order to re-write the code, or to seal the risks in a different way. “If a vulnerability is found in a component of your product, you can usually not simply as substitute. Often, the software must be rebuilt or re-written. “Also Blackduck does not put in all countries service- and sales people to sell. “We are not looking for the wide channel, we want to work with organizations that want to distinguish themselves. We are looking for organizations that are both technically and commercially well. “
The challenge that the partners with their clients face is to find out that they have a problem. “The worst problem is that you do not know you have a problem.” Bland again makes a comparison to driving. “If, while driving a notice that your brakes are not working, you have a problem. It is better to find out that the brakes do not work, before you get in the car. So it is with software, too.”
By: Edwin Feldmann
No comments:
Post a Comment