As open source application and system adoption grows rapidly in the enterprise market, data security has become an increasingly important topic. Companies from financial leaders to retailers are embracing community-based technology, and big data has helped spur the boom.
As many businesses struggle to manage huge datasets from a multitude of sources – including IoT devices – IT leaders have turned to new data management, processing and storage solutions that leverage open source code. CIOs at major global companies rely on open source technologies to run many key segments of their infrastructure.
As of 2015, 78% of companies were running open source software, and 96% of commercial applications had open sourced code as of 2017. The 2016 Future of Open Source Survey also found that 65% of companies are contributing to open source projects and 59% participate in open source projects to gain a competitive advantage.
In 2006, long before the recent growth in commercial open source adoption, the US Department of Homeland Security established the Open Source Hardening Project to examine the security of open source software. Since its adoption, the Homeland Security team has reviewed 250 open source projects and 50 million lines of code. They uncovered one software flaw for every 1,000 lines of code, information that helped the open source community address 7,826 flaws.
What has the increased scrutiny on open source software revealed about its security for businesses?
The fundamental concern business leaders have with open source software is that hackers and cybercriminals have access to the publicly-available source code built by the community of developers. Thus, many leaders believe proprietary applications are more secure. But a greater issue may be how enterprises invest in addressing bugs or vulnerabilities.
While open sourcing often relies on the coding community to pinpoint security flaws and risks, the latest Veracode report showed that only 28% of organizations conduct any form of regular analysis to find out what components are built into their applications. Additionally, some open source projects are small and without the resources to scan code for potential security risks. The U.S. government's Common Vulnerability Enumeration list was updated with an additional 8,000+ new vulnerabilities in 2017, however.
The ultimate responsibility comes down to the business implementing a software or application, however. The 2016 Future of Open Source Survey found that 50% of companies had no formal selection and approval policy for open source code. 47% didn’t have formal processes to track open source code either, limiting their visibility
A fundamental issue with security risks in the open source community is that there's simply no standard way of documenting security for open source projects. In the top 400,000 public repositories on GitHub, only 2.4% had security documentation in place. Even if a vulnerability is patched, there's often no way to find and notify every user running the outdated code.
In some cases, patches are broadly publicized, but businesses using the open source code might not realize that they have the issues, or may have difficulty finding all instances of the vulnerability. The Equifax breach was the product of an Apache Struts vulnerability. Yet, a patch for the open source software’s issue was released months before the breach, and the Equifax team was aware of the fix. They simply weren’t able to implement the patch in time.
Equifax isn’t alone in this struggle. More than one-third of companies have no process for identifying, tracking or remediating known open source vulnerabilities, according to the 2016 Future of Open Source Survey.
A director of security and privacy services at Deloitte believes many IT leaders assume open source infrastructure security requires a completely different approach than that for proprietary products. But the same fundamental data security principles apply to both open and closed source applications.
No matter the code source, you need a patching process to immediately address security risks. And your IT team must have the capability and know how to operate the systems they’re managing.
ISO 27001’s risk management processes cover the people, processes and IT system standards to securing data. Knowledge of your data storage location, the security of the data storage and data encryption of flowing traffic and an audit trail for customers’ assets are all critical to security.
Are any of these fundamentals different than the pillars of closed-source applications. While there may be different avenues in which vulnerabilities are uncovered and patches developed, the principles of data security largely remain the same.
If the security of your data center is a point of concern, or you’re investigating potential providers, you need to be able to assess if a provider can ensure your security. How do you know if a data center will address these issues?
Learn how to choose a data center provider that will solve problems and add value by downloading your copy of the whitepaper.