Tides are changing in the open source world. The growth of open source products and services has reached new highs. Right now, there are more open source projects being rolled out than ever before, and that number is growing rapidly.
With this shift, collaboration between departments is increasing, and the community-driven business model is getting the attention of many businesses. Using an agile development approach and adopting a DevOps culture has presented a new way for solutions to be delivered.
With all this collaboration, and sharing of information, some proprietary application users are questioning the security of open source components. The truth is, the community-based model of open source code actually increases security, giving developers across the globe the ability to create patches and identify holes in a faster way than any proprietary solution can offer.
According to the  2015 Future of Open Source Survey Results from Black Duck Software:
More than 50% of businesses believe open source delivers superior security, leading 67% to refrain from monitoring open source code for security vulnerabilities.
So, if you’re thinking of adopting open source components without a solid review and evaluation strategy, think again!
Consistent monitoring and maintenance, along with version control for each component can make a world of difference when it comes to vulnerabilities. Without an efficient way to choose and evaluate open source software components, the advantages of using that software may be offset. But there’s no need to worry, because organizations that effectively assess security vulnerabilities and resolve issues in a timely manner will almost assuredly gain handsome benefits from open source solutions.
Security threats can be addressed in a myriad of ways, even at the most basic level.
Here are some simple suggestions that can help you keep track of open source code and reduce vulnerabilities:
- Identify your open source usage (what code bases do you have? How are they integrated?).
- Know the development status of your solution, look at its release history, and check how frequently new updates are released.
- Evaluate how quickly you can understand the software, and whether it is acceptable in your ecosystem.
- Check the backward and forward compatibility of each new release.
- Assess the software behaviors with your third-party applications.
- Understand governance across the development cycle, and the level of support the community and the development team offer.
The reality is, many organizations struggle to address common security issues because of budget and resource limitations. Some organizations don’t have a robust security policy in place to access potential flaws and vulnerabilities at all. In most cases, businesses using open source rely on community-wide efforts to fix security flaws.
However, it’s recommended that those businesses who have mission-critical open source software solutions have access to a dedicated team or expert service provider with the capability to respond quickly to possible threats. Time is of the essence, and the difference between having a dedicated resource, and not having one, can be costly.
If you have any specific questions on open source component security and the open source software evaluation process, let us know at [email protected]. We‘ll be happy to talk more about them.
Sonali is a former Happiest Mind and this content was created and published during her tenure.
