Adopting open source in the face of fragmentation
Tue 1 Dec 2020 | Lech Sandecki
Open source fragmentation is enabling innovation and efficiency, but also increasing security risks, writes Lech Sandecki, Product Manager at Canonical – the publisher of Ubuntu
In 2020, 99 percent of enterprise codebases contain open source components. Businesses have come to realise that the collective approach of open source toward innovation has incredible benefits, and will help them to integrate technologies such as cloud computing, artificial intelligence (AI), machine-learning (ML), and microservices into their solutions.
But with this goldrush, which has brought a sharp rise in new applications, it’s becoming more difficult to see, or simply just to know, how many open source components are involved. This fragmentation is consequently hurting compliance officers, who are unable to keep up with the software supply chain. These same officers are struggling with visibility and cannot keep up pace.
The challenge is that the landscape is unrecognisable from just a decade ago. Back then, a much smaller pool of commercial open source vendors licensed their software to customers, understood everything about the code, and dealt with every security patch.
Today, however, the risk landscape has become increasingly fragmented, with many old or unpatched subcomponent versions used in applications. Whilst innovation and efficiency is consistently growing on account of fragmentation, so do the security risks.
Need for better security on the rise
Open source is on the rise, and its growth has continued even throughout Covid-19, as developers, in particular, continue to recognise the vast benefits. But these benefits are being undermined by the cybersecurity issues which arise when open source components are not kept up to date or or properly maintained. Sonatype recently found that there has been a 430% surge in next-gen cyber-attacks aimed at infiltrating open source software supply chains, revealing a lack of understanding when it comes down to open source security.
Nobody could have predicted just how fast the expansion of open source would be, and now comes the growing challenge of adopting it safely and within wider compliance frameworks. For compliance officers and IT teams, there are of course ways to successfully manage the transition securely and effectively.
Adopting open source in ever-changing environments
At the very least, compliance officers should always track the open source components being used. With full visibility and oversight over the process, it is far easier to understand and pinpoint vulnerabilities with accuracy. In manufacturing, businesses have a comprehensive inventory of all the materials and parts needed to make a product. If one is found to be defective, the manufacturer can pinpoint the wider impact immediately.
By adopting a similar approach, enterprises can garner insight into the clutter of open source components that their developers are using. As a result, they can take control of ensuring that their open source components are secure, rather than relying on information from the community.
Many organisations are now turning to automation to help manage the day-to-day side of security. Compliance officers themselves are stretched. Automating core security processes, which will prioritise vulnerabilities, can give time back to compliance officers and security workers, so that they can work on more pressing issues.
Organisations can consequently boost security posture. Businesses should prioritise integrating automation within the production environment, as this can often seem an easy target to attackers. CI / CD pipelines usually contain a path to what is given in production, which is why restrictive access controls based on multi-factor authentication must be implemented.
Officers should also select trusted proxies whenever they can. Good Linux publishers usually have a comprehensive program to review, prioritise, and fix their software packages for vulnerabilities. Although not all open source applications might be covered by default, it is worth checking which open source packages and versions can benefit from security patching, long term support (LTS), or extended security maintenance (ESM).
OS publishers maintain their own databases to track remediation of the latest public vulnerabilities from various sources, including MITRE, NIST NVD, and others. If an open-source provider has these qualities, it is likely you can trust it and make use of these tools through the adoption process.
Implementing a DevSecOps culture and cultivating security skills
To stay competitive, businesses are feeling the pressure to deploy new applications, but this should never come at a security cost. This is why every company should embrace DevSecOps, which applies better hygiene to application delivery, by introducing security earlier in the application life cycle and requiring security tests and verification at every step. This approach views security as an integral part of DevOps’ automated CI / CD pipeline, and not just a step at the end of the journey.
A DevSecOps culture, as well as having the right skills in place, will make open source adoption all the smoother. Enterprises will either need to more aggressively develop new security skills internally or look to external organisations that already have these capabilities in place.
Research from digital risk protection specialist Skurio this summer found that 50% of UK firms were looking to outsource security services, while 80 percent had problems with team skills and knowledge. The uptick in cyber incidences and increased security risks mean that it has never been so important for teams to ensure security specialists are in place throughout the adoption process.
Along with great developers, organisations crucially require great compliance officers that can tackle fragmentation head on. It is often overlooked just how fundamental compliance offers are as ultimately, they can make or break the success of open source adoption. A change in skills and culture, to prioritise compliance and security, whilst simultaneously allowing developers to run with the innovation involved, will be key to the growth of the industry.