The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security.

Unlike commercial, or proprietary software, open source software code bases are not protected from prying eyes. In other words, the very nature of open source is one in which the code base is available to the world at large—which means flaws, vulnerabilities and other security concerns are discovered and reported. Of course, one would hope that would be a catalyst to fix those flaws, and in many cases that is true. However, discovered vulnerabilities often go unnoticed and busy DevOps teams may let those vulnerabilities slip through the cracks.

It is a situation that makes open source attractive to those will ill intent as well. Cybercriminals are constantly looking for chinks in the armor of applications, and those unpatched and vulnerable open source components may very well be an unintended invitation to intrusions. Since 2004, more than 139,000 vulnerabilities have been disclosed by the National Vulnerability Database (NVD), and that number increases daily.

Simply put, if developers using open source are unaware of newly discovered vulnerabilities, it is likely that open source components will not be patched, introducing vulnerabilities into production code.