As open-source adoption grows, so do security risks
May 4, 2012 —
Open-source adoption is growing, but with that growth comes greater risk, according to several leading companies that supply open-source licensing and maintenance software. Some open-source applications have been updated for years to account for new security threats, but companies, for various reasons, have not internally updated their software stacks, leaving them vulnerable.
Security threats in open-source software have many layers, according to Mahshad Koohgoli, CEO of Protecode. Vulnerabilities present themselves in components that do not have user interfaces, leaving them largely invisible to the user, he said. Additionally, it is up to the company to ensure monitoring of communities and public databases, like the National Vulnerability Database run by the Department of Homeland Security, to be aware of the newest patches and bug fixes. This, he said, is most effectively done by maintaining a good record of open-source components (or a “bill of materials”) used in company software products.
Yet in a recent survey, open-source software provider Sonatype found that out of 2,500 developers, architects and IT managers, only 32% of project teams maintain a detailed record of the open-source components in their software stacks.
Peter Vescuso, executive vice president of marketing and business development at Black Duck software, and Hal Hearst, senior director Olliance Group (a Black Duck company), said that this bill of materials is best maintained when someone within the company is assigned ownership, and when the company works with the open-source community.
Vescuso said that by engaging the communities around open-source components, companies can have a better chance of staying on top of updates. He added that some of his clients would say that open-source software is more secure because of the amount of times it has been tested and reviewed by countless other developers before making it into the enterprise.
The Sonatype Open Source Software Development Survey also found that only 50% of those surveyed said their company has an open-source policy, said Charles Gold, chief marketing officer of Sonatype.
Hearst said that enterprise IT departments need to work with developers to maintain a strong, cohesive strategy. The strategy may mean working with developers to allow open-source software into the company without restrictions, or in some cases, developers may have a strong feeling toward a particular program, and IT needs to work with that if that is what is best for business objectives, he said.
Gold said that developers, for the most part, take different portions of open-source code and then write their own custom code on top of it. In fact, he estimated that 80% of all applications are built this way.
Koohgoli said the best developers are spending more time changing existing portions of software to fit their needs, rather than creating packages from scratch.
Hearst and Vescuso advised companies to establish a method for determining why they are using open-source components before building their applications.
Related Search Term(s): open source, security
Share this link: http://sdt.bz/36594
Most Read
Latest News
Resources
SAP unveils SAP HANA platform innovations for Big Data and spatial processing
Features include smart data access and expanded cloud deployment options
|
|
|
Alteryx raises $12 million to put Big Data analytics in the hands of all business analysts
Quest founder's firm, Toba Capital, selects Alteryx as its first analytics investment
|
|
|
Google I/O kicks off
Developers get new APIs and tools, and the Go language hits version 1.1
|
|
|
Jelastic launches new version of its Java and PHP hosting platform
Jelastic today announced the launch of a new version of its ultra-scalable cloud hosting platform
|
Telerik adds back-end services to Icenium mobile tool suite
Icenium Everlive makes the suite a complete app development platform, the company says
|
|
|
CollabNet fuses CloudForge, TeamForge
New pricing structure and integration gives developers an enterprise-grade choice for dist...
|
|
|
Eclipse release train for Kepler arrives June 26
New version of Eclipse includes Stardust for business process management, and Orion 3.0 fo...
|
|
|
Google I/O kicks off
Developers get new APIs and tools, and the Go language hits version 1.1
|
IDC MarketScape: Worldwide Cloud Testing and ASQ SaaS
Demand for solutions to test applications on the cloud and for the cloud is rising signifi...
|
|
|
Get to Know the Database Decision Factors
What should you look for when choosing a relational database system? This informative arti...
|
|
|
Exploring the Database Forest
Today’s database technology landscape is more dynamic and varied than ever before. What’s...
|
|
|
Data Management Resource Guide
Today’s data is generated by more than just applications. Data is generated by trillions o...
|