Understanding and Managing Open Source Risks

Apr 21, 2020

These days, the tendency is to treat software development as a semi-custom build job. Some parts are prefabricated and come from other sources. The rest is custom-built, in-house or under contract, to provide specific functionality or to capture and enshrine key insights and competitive advantages in executable form.

When prefabricated elements are incorporated into software projects, they will most often be open source. They might involve certain widely used frameworks, such as Bootstrap, Angular JS, Apache, OpenStack and so forth. They may incorporate open source code projects, such as JSON. One might even see various kinds of containers used as wrappers, including familiar names such as Docker and Kubernetes.

Most modern programmers reach for these kinds of things the same way a mechanic or plumber reaches for a hammer or a wrench. They’re simply familiar tools, well understood and fit for a variety of purposes that programmers understand extremely well.

But what programmers, IT management, executive staff, and even shareholders may not understand is that such conveniences also carry risks. And, just like other risks, those that open-source frameworks, libraries, and code may pose must be identified, understood and carefully managed.

Surveying the Code: What’ve You Got?

The first step in managing risks of any kind is taking stock of the risks you face and understanding what kinds of threats they can pose. Good tools can automate the discovery of open source components used in an application, producing a comprehensive list and providing information about risks and exposures they bring along with them.

Through careful review of such findings, exposure to certain risks can then be remediated. This might involve upgrading from an out-of-date or obsolete version of open source code that includes well-known vulnerabilities, with exploits to match. It might involve patching or updating a current version to make sure it incorporates all security fixes available to address known vulnerabilities. It should also include licensing checks, to make sure the organization using the open-source components is doing so validly and legally.

Working from Certain Knowledge

Some software analysis tools include composition analysis as part of their capabilities. This kind of analysis examines a code base and documents all open source components it finds. It should also report on known vulnerabilities in such components from the NIST National Vulnerability Database, Mitre’s Common Vulnerabilities and Exploits (CVE) database and so forth.

Most important, a composition analysis should produce an inventory of open source components. This provides important code management insights so that organizations can better manage their code libraries. This lets them check for updates, track versions, and receive automatic obsolescence reports. In short, proper code and risk analysis of open source components not only identify sources of risk, but also help organizations take steps to avoid or mitigate such risks.

Putting Open-Source Insights to Work

Proper source code analysis provides results from its scans within minutes of starting work. Such tools can be run on a one-shot basis as pay-per-use, or they can plug into your integrated development environment (IDE) for continuous scanning and code security with annual or periodic subscription fees. This does more than protect you from open source code risks, though it will cover them quite nicely; it also applies to your custom codebase.

Given that the right insights from code analysis help prevent and mitigate risk, they also support improved integrity and manageability for open source code components. Because organizations can use such tools to identify and manage threats and vulnerabilities, compliance issues and operation risks, those tools offer the means to limit those risks and avoid unpleasant surprises.

Automation also plays a key role in ensuring open-source code security and managing associated risks. If code components are continuously checked and scanned for vulnerabilities and exposures, organizations can take action to mitigate and remediate them as soon as possible. Where remediation advice can be automated, the codebase can take care of itself to a certain extent.

Give Kiuwan Insights a Try

Kiuwan’s Insights source code analysis (SCA) tool provides the foregoing capabilities and more. It also requires no configuration in advance. Further, it’s fully customizable, both visually and conceptually, so your developers and security professionals can make it relevant and productive as they put it to work. Request a free trial, or learn more at Kiuwan’s Insights page.

Get your FREE demo of Kiuwan Application Security today!

Identify and remediate vulnerabilities fast and efficient scanning and reporting. We are compliant with all security standards tailored packages for your team to mitigate your cyber risk within the SDLC.