Five Ways to Gain Control of Open Source Software and Improve Security
Open Source Software (OSS) already runs on many enterprise networks, but is often improperly managed or rarely included in enterprise software portfolio or governance programs. That means that OSS can make enterprise networks vulnerable to security risks in a variety of ways.
“Lack of management allows users to avoid updating software to the latest, and generally more secure, version,” explained Andrew Murren, CISSP, CSSLP, Sila Solutions Group, a technology and management consultancy, Arlington. VA. “There is an increased attack surface because of duplication and lack of software asset visibility, as well as duplication of effort through of lack of coordination on people and resources.”
Speaking earlier this year at the (ISC)² CyberSecureGov 2016 conference, Murren described the ways to gain control of OSS.
“OSS is software and needs to be managed and maintained similarly to proprietary software,” he explained. “There must be an enterprise-wide position on OSS that has executive leadership approval, and OSS needs to be included in the enterprise’s IT governance processes. Finally, an OSS portfolio should be established and modeled on existing software asset management and governance programs.”
It’s worth the effort to take those steps, noted Murren, given the benefits of OSS like Hadoop, Linux, LibreOffice and SonarQube.
On the security side, OSS offers: the ability to scan source code using static code analysis tools; the potential to reduce attack surface by removing unwanted or unneeded code; and the ability to build from source code so you know exactly what is in the executables.
On the cost side, using OSS can reduce the upfront costs of acquiring software. It also offers the ability to prototype and test before acquisition decision, and to reduce or eliminate licensing costs.
To attain those benefits, Murren outlined five key activities to gain control of OSS: (1) organize; (2) manage; (3) evaluate; (4) maintain; and (5) review. The following describes each activity in more detail.
Organize—Appoint an OSS portfolio manager; establish an OSS-focused program with appropriate authority, people, and resources; define OSS-focused metrics and reporting requirements; and determine OSS acceptance criteria.
Manage—Maintain inventory of all OSS applications currently in the enterprise; maintain inventory of all OSS components being used by internal developers; maintain a listing of vendor-provided OSS applications and components being used on the enterprise network; and provide a central repository as the sole approved source of OSS software for the enterprise.
Evaluate—Thoroughly test software prior to adding it to the repository; assess the capability of the enterprise to securely use, maintain and support OSS software using internal resources, vendor support and service contracts; and evaluate each application and component against acceptance criteria.
Maintain—Keep the central repository up to date; notify internal users of updates, security announcements and changes to software availability; require the updating or removal of out of date OSS; track internal software usage and costs; participate in the OSS development community; and provide on-going training for internal support staff.
Review—Regularly review software for changes in support by vendor or community, changes in use by internal users, ability to support using internal resources, compliance with industry standards and support for emerging trends and technologies; review and update policies and procedures as appropriate; and conduct periodic quality and security testing.