At Black Hat 2016 I had the pleasure of attending a briefing presented by Jake Kouns of Risk Based Security and Christine Gadsby of Blackberry. Their presentation titled:“ OSS Security Maturity: Time to Put On Your Big Boy Pants ” explored the definition of OSS (Open Source Software) and the usage and implications of OSS adoption within commercialsoftware.
I was pleased to see that the presentation contained several slides from the Black Duck and North Bridge 2016 “Future of Open Source” Survey . Referencing our survey, the speakers noted thatOSS usage is both on the rise and also continues to be a major source of potential risk for companies. For example, 47% of companies don’t have formal processes in place to track open source code, limiting their visibility into their open source and therefore their ability to control it.Insight into Open Source Security Risks
With risk centered around an ever-growing list of vulnerabilities, and the difficulties of tracking those vulnerabilities, insight into their exposure to open source security risks continues to challenge even the most mature enterprise company. One slide entitled, “Fun Blackberry OSS Stats,” really hit home:536 unique libs tracked across 75 product variants Up to 16 different versions of a unique library in a single product 195 unique OSS libs in a single product A product could contain 47 copies of the same library The 5 Levels
The audience wenton a journey through the 5 levels of maturity as defined by the Security Incident Response Team at Blackberry: ranging from the lowest level of maturity (“Chaos”) which requires the least investment but carries the highest risk through to Level 5; full SDLC integration, which requires a higher level of investment, but reduces the risks associated with OSS adoption as well as improving ROI.
Moving from worst to first, “Chaos” is a company using OSS blindly, with no understanding of risk. Level 2 is when a company begins to create a software Bill of Materials, and starts to track open source vulns and fixes. “Mastering Ops” was their term for Level 3, where a company proactively uses OSS vuln intelligence to implement fixes. Level 4 is the “Tools” level, where a company moves beyond spreadsheets to use tools and automation such as theBlack Duck Hubto drive efficient OSS handling. And Level 5 is an organizationmaking well-informed OSS decisions and creating a curated OSS catalog.
You can view the full “Big Boy Pants” presentation, in PDF format, here .
Investing in a OSS security strategy at the Level 4 stage of maturity outlined in the presentationwill not only improve your awareness and visibility of OSS usage and related security concerns, it will ultimately result in the delivery of secure software and faster response times, instilling both customer and community confidence.