The Open Source Conundrum

Mark Curphey By Mark Curphey
November 15, 2018

If you’ve read or watched the news at all in the last five years, you know that securing software is challenging. And in today’s world, developers are shouldering a big part of this challenge. Here lies the conundrum. Developers are in the best position to secure code, but security is often not one of their priorities. With the shift to DevOps in recent years, development is all about speed of delivery, which means moving quickly and relying on open source code, and which often comes into conflict with the goals of security. In many cases, this had led to a “patch and pray” model – where organizations patch vulnerabilities when they hear about them, and then pray it wasn’t exploited in the window between discovery and patching. But this doesn’t have to be the case. We can take advantage of open source libraries and move at the speed of DevOps without relying solely on a reactive security model.

However, we do need to acknowledge that open source has changed the security game. Just the sheer numbers are landscape-altering. At SourceClear, we’ve found that most companies have more open source code than internally developed code – in many instances, in fact, the open source share is up to 90 percent. In terms of security, this means that the attack surface has changed dramatically. In this environment, it becomes critical to ask four questions:

1. What open source code are you using? (Hint: It’s more than you think.)

2. Where did it come from? Should I trust it?

3. What does it do?

4. What vulnerabilities are present?

Ultimately, control over what is in your code has changed. Today, you need new security solutions to reduce risk in this new environment.

Join me in person this month to dig further into this problem, and its solutions. I’m hitting the road for our “Open Source Conundrum” roadshow beginning November 27. Find out when I’ll be in a city near you, and stop by to network with peers and get some solid advice on this challenging security issue.

Mark Curphey, Vice President, Strategy
Mark Curphey is the Vice President of Strategy at Veracode. Mark is the founder and CEO of SourceClear, a software composition analysis solution designed for DevSecOps, which was acquired by CA Technologies in 2018. In 2001, he founded the Open Web Application Security Project (OWASP), a non-profit organization known for its Top 10 list of Most Critical Web Application Security Risks.
Mark moved to the U.S. in 2000 to join Internet Security Systems (acquired by IBM), and later held roles including director of information security at Charles Schwab, vice president of professional services at Foundstone (acquired by McAfee), and principal group program manager, developer division, at Microsoft.
Born in the UK, Mark received his B.Eng, Mechanical Engineering from the University of Brighton, and his Masters in Information Security from Royal Holloway, University of London. In his spare time, he enjoys traveling, and cycling.