For years, organizations have “checked the box” by doing the minimum to meet security standards like PCI and FS-ISAC, but a rising tide of breaches has caused most auditors to look more seriously at organizations’ security practices, including the security of open source components. Do your developers use open source components? Are you prepared to answer regulators about their safety?
There are several industry regulations and security frameworks that require that you find and patch known vulnerabilities in your applications, including:
As software has become a competitive differentiator for enterprises, so has the pressure on developers to get working code out the door quickly. With this need for speed, creating all code from scratch is simply no longer feasible in many cases. Integrating open source components into the code they are writing has, therefore, become a standard development practice. And rightly so, why reinvent the wheel if you don’t have to? The problem lies with the security of these components and, increasingly, the pressure regulators are putting on enterprises to provide proof of their security.
Restricting the use of components is not the answer; getting visibility into component use is. Unless developers carefully keep track of each open source component they use, companies do not have a list of components and versions. For large, global development teams, tracking open source components becomes particularly unmanageable and unrealistic. For example, when an open-source vulnerability is publicly disclosed, security professionals have no way of knowing whether or not their software has been affected. This lack of visibility not only makes it very challenging for security professionals to understand and decrease the risk associated with their applications, but it also ups the chances of failing compliance audits that require known vulnerabilities to be remediated.
The solution? Consider implementing technologies to keep track of which applications are using each component and what versions are being used. This gives your organization an easy way to update a component to the latest version if a vulnerability is discovered. And, ultimately, it keeps developers creating and innovating quickly, without introducing additional risk.
Looking for more tips and advice on your biggest AppSec challenges? Get them from someone who’s been there – check out our new eBook, 5 Lessons From an Application Security Pro.