Skip to main content
August 10, 2016

Taking The Worry Out Of Component Usage

Software development is changing fast, with one of the biggest recent changes being the shift to open source software. Although this change opens up a whole new world of coding possibilities, it also introduces new challenges, and problems. What’s the best way to balance its advantages and risks?

Education recently experienced a similar shift. Harvard and MIT launched EdX not so long ago. Its tagline, “Best Courses. Top Institutions. Learn anytime, anywhere,” sums up its mission to increase access to high-quality education for everyone, everywhere. At Edx, everyone is welcome, courses are open 24/7, and there’s no application necessary. Imagine just 10 years ago being able to attend Harvard University anytime you wanted and without ever having to apply. EdX gives just about anyone with access to the Internet the ability to earn certificates, advance their career or master a subject they’ve always been curious about. When the exclusivity is stripped away, the result is something new, and it’s very nature is changed.

There was a buzz around the office last summer about Paul Ford’s “What is Code?” This 80,000+ word epic consumed a whole issue of Bloomberg’s Business Week, and it's a monumental help to people like me without any background in computing, coding or compiling of any sort. I highly recommend it to anyone interested in how we got here and where we’re going when it comes to code development. It’s full of embedded videos, exercises and even a fun little computer with arms and legs that tracks how long you’ve been reading and lets you jump back to your spot when you leave the page. It makes me wonder about all the code developed behind the scenes to even make a website like that function. Ford says, “Every month it becomes easier to do things that have never been done before, to create new kinds of chaos and find new kinds of order...Every month, code changes the world in some interesting, wonderful or disturbing way.” Research firm IDC estimates there are 11 million professional software developers today and an additional 7 million who do it for fun. That means there are 18 million people out there using any number of programming languages (thousands) to solve any number of real-world problems.

I hope it’s obvious that software development is too expansive and amorphous to be placed into neat categories like good/bad, safe/vulnerable or open/closed. But to my point: when what was once off-limits becomes accessible, big stuff happens. While it’s usually for the best, sometimes it’s not so good. Like I always say, you’ve got to crack a few eggs to make an omelette. One big shift for the coding community was the advent of the free software movement. The term “free software” morphed into “open source software” or OSS. This means at the most basic level that licensed users have access to source code and can change it, improve it or break it as they see fit. Developers work together on projects, and the collaborative nature of the community is its distinguishing characteristic. Usually it starts with an idea, or a problem worth solving with technology. Exploring a place like GitHub lets individuals, communities or businesses have access to one of the largest open source repositories in the world. This has unleashed tons of easy-to-use features and functionality whose code can snap into existing development projects or be built upon to create something totally new. Open source has given us WordPress, Mozilla Firefox and GIMP to name a few well-known examples. Almost no one is developing applications completely from scratch anymore, and why would they?

Consider that we have to place our trust in EdX to deliver the quality we’d expect from a top-tier university, or Wikipedia editors to catch incorrect or malicious information; we’ve placed a lot of trust in the broader open source community to get it right as well. Remember Heartbleed? This serious vulnerability in a popular open-source library (that’s meant specifically to shield sensitive information from prying eyes) allowed bad actors access to Social Security numbers, the patient health records of millions of people, and tons of other data you wouldn’t want getting into the wrong hands. This isn’t to say that proprietary software doesn’t have exploitable vulnerabilities too; it certainly does. But the proliferation of open source components gives opportunistic hackers an easy place to start. Development teams often lack a running tally of the OSS components utilized by their applications and, thus, lose track of updates and security fixes.

Open source development is inclusive, agile, and has revolutionized software development by unlocking the access to a huge open community. The brainpower of open source cultivates innovation, creativity and imagination multiplied and magnified in a way that no single developer could muster on her own. But it’s also free, and sometimes that means you get what you pay for. Businesses still thrive on the I.P. that is their source code, and others feel that particularly critical data is best protected by proprietary code. Chances are your application portfolio has open-source components as well as custom code. The advent of the printing press didn’t stop people from writing by hand, and I’m pretty sure Oxford is still publishing its Atlas of the World. Open source and closed source are still co-existing just fine, and that probably won’t change anytime soon. 

Take the next step: Download the Securosis whitepaper "Putting Security Into DevOps"

Christine is an experienced member of the Business Development team at Veracode. She focuses on uncovering companies who could benefit from Veracode’s cloud-based solutions. Whether large Enterprises or Independent Software Vendors (ISVs), it’s Christine’s job to evangelize the value of application security and support companies in their journey to a secure software portfolio. In her spare time, she enjoys yoga and cycling and loves to see live music at venues around Boston.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.