{"id":286520,"date":"2019-12-23T12:02:00","date_gmt":"2019-12-23T12:02:00","guid":{"rendered":"https:\/\/www.smartdatacollective.com\/?p=286520"},"modified":"2019-12-23T19:01:10","modified_gmt":"2019-12-23T19:01:10","slug":"business-security-meets-open-source-code-managing-software-vulnerabilities","status":"publish","type":"post","link":"https:\/\/www.smartdatacollective.com\/business-security-meets-open-source-code-managing-software-vulnerabilities\/","title":{"rendered":"Business Security Meets Open Source Code: Managing Software Vulnerabilities"},"content":{"rendered":"<p>Years ago, when we talked about open source code, we were talking about something that was really only relevant to classic computer geeks \u2013 the ones running their computers on Unix and swapping bits of code on message boards. Times have changed, though, and now open source code is an integral part of how most businesses and just about anyone in the software world does their work. As Bart Copeland, CEO of the open source language tool company ActiveState explains, <a href=\"https:\/\/www.darkreading.com\/edge\/theedge\/the-truth-about-vulnerabilities-in-open-source-code\/b\/d-id\/1335187\" data-wpel-link=\"external\" rel=\"external noopener noreferrer ugc\">today\u2019s companies have to use open source code<\/a> to stay competitive. But while choosing open source code is important from a competitive perspective, that doesn\u2019t mean it\u2019s a simple or risk-free choice.<\/p>\n<p>One of the serious concerns with using open source code in business application development is that the majority of codebases contain at least some major vulnerabilities, and as soon as a company starts working with one of those codes, those vulnerabilities become their responsibility. That\u2019s who customers will blame if there\u2019s a data leak and, while hackers often seek to exploit specific vulnerabilities, they aren\u2019t interested in the code qua code. They want a given business\u2019s data. So, how should businesses handle this problem?<\/p>\n<p>Faced with open source vulnerabilities, businesses need to take ownership over code vulnerabilities, but there are plenty of tools at their disposal. From predictive analytics to vulnerability databases, businesses already have access to everything they need.<\/p>\n<h2><strong>Predicting Problems<\/strong><\/h2>\n<p>When it comes to cybersecurity, one of the most powerful tools that businesses have at their disposal is predictive analytics, essentially machine learning capabilities that <a href=\"https:\/\/www.smartdatacollective.com\/merging-predictive-analytics-models-and-waf-for-top-tier-security\/\" data-wpel-link=\"internal\">can detect likely threat actors<\/a>, identify vulnerable targets, and quickly test new security fixes and defense strategies. These systems can be merged with more concrete security mechanisms beyond the code like Web Application Firewalls (WAFs) that monitor network traffic and protect the applications and data therein.<\/p>\n<h2><strong>Databases For Developers<\/strong><\/h2>\n<p>On its own, open source code isn\u2019t safer or more vulnerable that proprietary code. Rather, a major part of what makes open source code such a problem from a developer perspective is that so many people are using it and that means that when code launches with a major vulnerability, it could end up as part of a wide variety of applications. Luckily, because there are so many developers actively using and tweaking open source code, there are also databases specifically for cataloguing <a href=\"https:\/\/enterprisersproject.com\/article\/2019\/10\/cve-common-vulnerabilities-and-exposures-explained-plain-english\" data-wpel-link=\"external\" rel=\"external noopener noreferrer ugc\">common vulnerabilities and exposures (CVEs).<\/a><\/p>\n<p>Any time a developer works on an application, it\u2019s critical that they <a href=\"https:\/\/vuln.whitesourcesoftware.com\/\" data-wpel-link=\"external\" rel=\"external noopener noreferrer ugc\">check a vulnerability database<\/a> to find out if there are any known vulnerabilities in a particular code component and, for those known vulnerabilities, whether there are available solutions. CVE databases use a standardized description method to identify each vulnerability and can connect developers with appropriate patches. Developers also need to regularly check these vulnerability databases, even after they\u2019re done working on a program, to ensure new vulnerabilities haven\u2019t been discovered.<\/p>\n<h2><strong>Automation Offers Advantages<\/strong><\/h2>\n<p>If developers are constantly checking their old code for vulnerabilities, how are they supposed to get anything done? That\u2019s a legitimate question, but one with a ready solution \u2013 automation. Most vulnerability analysis really consists of <a href=\"https:\/\/www.information-age.com\/vulnerability-analysis-and-security-best-practices-for-dsps-123485930\/\" data-wpel-link=\"external\" rel=\"external noopener noreferrer ugc\">automated scans, cross-checks, and updates<\/a> designed to protect the overall system. Discovery tools manage the various assets at hand, simplify the process, and can actually halve the total time businesses use on vulnerability management procedures.<\/p>\n<h2><strong>Control Your Code<\/strong><\/h2>\n<p>Many of the most serious data breaches in recent years ultimately stemmed from vulnerabilities in open source code \u2013 take as an example the Equifax breach. Not only did the Equifax breach stem from a basic code vulnerability, but the bigger problem was that the company had left their code untended. The necessary <a href=\"https:\/\/www.wired.com\/story\/equifax-breach-no-excuse\/\" data-wpel-link=\"external\" rel=\"external noopener noreferrer ugc\">patch had been available for about two months<\/a> before the system was hacked. That was a few years ago, but little has changed. Many websites and companies are still operating with unpatched code or vulnerabilities that could easily be eliminated by skilled coders. If these companies don\u2019t act fast, they could face similar blowback to what Equifax endured back in 2017.<\/p>\n<p>Some companies are hoping that they can sidestep some of the vulnerability issues by using new security and cutting off hackers at the pass, but such approaches should be viewed as secondary to vulnerability management. The shift towards containers is one example of this. Yes, <a href=\"https:\/\/www.techtimes.com\/articles\/245949\/20191107\/open-source-vulnerabilities-risk-an-app-s-security-what-s-the-solution.htm\" data-wpel-link=\"external\" rel=\"external noopener noreferrer ugc\">application containers abstract programs<\/a> from their environment in a way that can protect them from certain security risks, but it doesn\u2019t make sense to prioritize container use over patching. But containers plus Runtime Application Self-Protection (RASP) plus patching: now that\u2019s substantive security.<\/p>\n<p>Setting aside these many tools, whether a business is using proprietary or open source code, they need to take ownership over that information. Even code from a library is your code and any problems with it will come back to haunt your business, not anyone else &#8211; just ask Equifax. Their name is synonymous with data compromise, and it all could have been prevented with a patch.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Years ago, when we talked about open source code, we were talking about something that was really only relevant to classic computer geeks \u2013 the ones running their computers on Unix and swapping bits of code on message boards. Times have changed, though, and now open source code is an integral part of how most [&hellip;]<\/p>\n","protected":false},"author":518,"featured_media":286521,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"13","_seopress_titles_title":"Business Security Meets Open Source Code: Managing Software Vulnerabilities","_seopress_titles_desc":"When running a business, it's vital to be aware of cybersecurity vulnerabilities. Here are some steps you can make to keep your business data secure.","_seopress_robots_index":"","footnotes":""},"categories":[9,13,51],"tags":[],"class_list":{"0":"post-286520","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-smartdata-collective-exclusive","8":"category-security","9":"category-software"},"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.smartdatacollective.com\/wp-json\/wp\/v2\/posts\/286520","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.smartdatacollective.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.smartdatacollective.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.smartdatacollective.com\/wp-json\/wp\/v2\/users\/518"}],"replies":[{"embeddable":true,"href":"https:\/\/www.smartdatacollective.com\/wp-json\/wp\/v2\/comments?post=286520"}],"version-history":[{"count":3,"href":"https:\/\/www.smartdatacollective.com\/wp-json\/wp\/v2\/posts\/286520\/revisions"}],"predecessor-version":[{"id":286527,"href":"https:\/\/www.smartdatacollective.com\/wp-json\/wp\/v2\/posts\/286520\/revisions\/286527"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.smartdatacollective.com\/wp-json\/wp\/v2\/media\/286521"}],"wp:attachment":[{"href":"https:\/\/www.smartdatacollective.com\/wp-json\/wp\/v2\/media?parent=286520"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.smartdatacollective.com\/wp-json\/wp\/v2\/categories?post=286520"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.smartdatacollective.com\/wp-json\/wp\/v2\/tags?post=286520"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}