Cybersecurity: Open source is a double-edged sword

By tracking vulnerabilities regularly, companies can leverage the power of open source software to their strategic advantage.

Cybersecurity: Open source is a double-edged sword
The report notes that from an operational risk maintenance perspective, 85% of the 2,097 code bases contained open source that was more than four years out of date.

By Murtaza Bhatia

The use of open source software is on the rise. This is particularly true for startup firms. Indian developers are also contributing in a big way to open-source software development. According to GitHub, more than 7.2 mn of its 73 million users in 2021 were from India, making it a close third behind the USA (13.5 mn) and China (7.6 mn). GitHub expects to see 10 mn Indian developers on its platform by 2023.

This impact can be seen in India’s software development space too, where a significant percentage of major software service companies and startup firms use open source components to cut costs and reduce the time taken for software development. The fact that there are no licence costs associated is extremely attractive to startup firms.

While open source definitely offers a lot of benefits, it is also vulnerable. This is corroborated by the annual Synopsys Open Source Security and Risk report, which states that 2,097 of the code bases included security and operational risk assessments, with 81% of them containing at least one vulnerability. The report notes that from an operational risk maintenance perspective, 85% of the 2,097 code bases contained open source that was more than four years out of date.

Despite considerable advances in strengthening open source security, nearly half of the surveyed code bases contained high-risk vulnerabilities. Out of the 2,097 code bases examined, 88% contained outdated versions of open source components. Most often, teams that are tasked with ensuring updates are not aware of the open source vulnerability in their code, till an exploit becomes known and organisations scramble to patch quickly.

To mitigate the risks of open source software, we recommend the following:
Maintain an open source inventory: Many entities are not aware of the open source software components they use in their systems. This can be mitigated by using a Software Bill of Materials (SBOM) that lists a complete inventory of the code base (open source components, version and known vulnerabilities). A SBOM can also be used to determine if companies are using any outdated or insecure code.

Scan for vulnerabilities regularly: As the open source ecosystem is vast, it may be difficult to manually track all vulnerabilities and patch them. This can be addressed with the help of automated scanning, which helps in discovering vulnerabilities and alerting companies for patching them.

Shift Left to improve security of code: Organisations must use the principle of ‘Shift Left’, which means involving security right from the start of the development process. This ensures that developers follow secure coding practices at every step of the process. This can be strengthened with the help of software code scanning tools that help detect deviations or vulnerabilities.

In summary, the power of open source lies with the community. By tracking vulnerabilities regularly using advisories and mapping them against the open source inventory, and using the power of automation to track and fix vulnerabilities quickly, organisations can leverage open source to their strategic advantage.

The writer is director, Cyber Security Sales, NTT India.

Get live Share Market updates and latest India News and business news on Financial Express. Download Financial Express App for latest business news.

Photos