No one wants to be the next Equifax. Just thinking about their company’s name being in a headline along with the words “security breach” is enough to keep CISOs up at night. Much like Fight Club, however, the first rule of data breaches is: You do not talk about security breaches…unless you’re mandated by notification laws like GDPR.
Even though organizations don’t reveal much publicly, their concern is reflected in the amount of money spent to prevent cyber attacks. The 2020 global cyber security market is valued at USD 167 billion, and it’s expected to balloon to USD 326 billion by 2027, which is a 10% compound annual growth rate.
The application security market, a subset of the cyber security market, is poised to grow even faster, at a compound annual growth rate of almost 18% from 2016 to 2025. This makes sense when you consider that applications are consistently a weak point in enterprise security.
As organizations address security concerns in their applications, perhaps even starting with resources such as the OWASP Top Ten, they begin to recognize the pervasiveness of open source software. The percentage of open source software in the code base of proprietary software is rising rapidly, and recent studies confirm that most modern applications have a greater percentage of open source code than proprietary code. Some organizations even estimate that open source code makes up 60-80% or more of their proprietary applications.
Because open source code gives programmers the speed and agility to develop new capabilities, it is not going anywhere. In modern DevOps environments, using open source software allows developers to quickly achieve functionality that might otherwise take them weeks or months to develop. And open source software gives developers greater flexibility at a significant savings as most open source software is distributed freely.
While open source software has numerous advantages, it also comes with risks. At some point, organizations realize they do not have enough visibility into their open source software to adequately identify potential open source vulnerabilities. This is when organizations understand they need a tool that helps them identify open source vulnerabilities.
An open source vulnerability scanner is a tool that helps organizations identify and fix any risks associated with open source software usage. It should address both the open source software in your code base and any dependencies. Once an open source vulnerability scanner finds open source software vulnerabilities, it ideally will help you remediate these risks by suggesting fixes through a patch or update.
Vulnerabilities aren’t the only risk you face when using open source software. You also need to ensure you’re managing your open source licenses. Being noncompliant or having conflicting open source licenses — say an Apache license and a GPL license in the same code base — presents another significant threat when using open source code in your proprietary software. In fact, there have been several high-profile lawsuits over open source license non-compliance.
Managing open source licenses and potential security risks seems straightforward, and many companies attempt to track these manually. Unfortunately, organizations quickly realize that trying to monitor every open source license, library, and dependency is an impossible task and that the only way to gain control over your open source use is with the help of an automated tool.
A good open source vulnerability scanner addresses both vulnerabilities and licenses. So how does it do this?
First, an open source vulnerability scanner scans your software to identify all the open source components in your code base. Knowing the background and pedigree of your open source software is the first step in gaining visibility and control.
Second, an open source vulnerability scanner identifies all the open source licenses in your code base and determines whether they are compatible with one another, are compliant with your organization’s policies, and meet all attribution requirements. Considering that one open source library can have many dependencies, which can each have their own dependencies, being able to automate this task is a huge time saver. It helps reduce your risk by ensuring that legally, you are complying with every open source license in your code base.
Third, an open source vulnerability scanner identifies open source vulnerabilities. Not only that, but a good scanner should be able to suggest a remediation path for those vulnerabilities. Additionally, a scanner should be able to identify whether your software actually calls a problematic library with a known vulnerability to determine whether that vulnerability is being used in your software. This feature, called effective usage analysis, helps you cut down the noise of endless alerts by prioritizing the remediation of vulnerabilities that actually impact your software during run time.
Finally, an open source vulnerability scanner should be able to identify outdated open source libraries and automatically suggest an upgrade path.
Open source software presents risks from two main areas:
Addressing only security vulnerabilities while neglecting license compliance is like building an armored truck with a convertible top — despite the strength of your armour, you’re still exposed.
When looking for an open source vulnerability scanner, choose one that addresses both security vulnerabilities and licensing compliance to fully mitigate your open source risk. Tools that do both are called Software Composition Analysis or SCA by market research firms such as Gartner and Forrester.
The pace of software development isn’t slowing anytime soon, and open source software is here to stay. In fact, developers rely on the many benefits of open source software. Because of the ever-increasing presence of open source software, organizations need to address the associated risks. Choosing a tool that looks beyond vulnerabilities to include licence compliance is the best way to reduce your exposure and secure your applications.