Why creating an open-source ecosystem doesn’t mean you’re taking on security risks
Anyone who uses technology benefits from open-source software. Most applications you use have implemented open-source code to varying degrees. This isn’t just small-time developers that use this code, either. Many large enterprises rely on this software to build their own products and solutions.
Because of this, any CIO would be wise to have their developers follow the same blueprint. However, some developers have concerns about open-source. In an open environment where any contributor can drop potentially harmful code into the global library, is it safe — or wise — to lean heavily on these development resources?
Granted, these developers don’t have much choice. If they want to remain competitive, they have to leverage this library for their own benefit. But misconceptions can develop around the security risks posed by open-source software. Though the library includes security considerations any developer should follow, there are ways to mitigate these risks and develop an ecosystem that is as secure as it is agile.
Understanding security risks
The primary concern regarding security in an open environment is that bugs may be alive and well in the open library. Notable security breaches in the past, committed by bugs such as Heartbleed and Shellshock, have demonstrated what can go wrong when open software is corrupted.
Such attacks aren’t routine, but they represent a risk most developers can’t afford to take. As Mozilla pointed out, these critical threats only pose more dire consequences, and mobile technology is integrated to handle healthcare technology, self-driving cars and other innovations that put people’s lives at risk. The danger of a virus infecting your car on the highway is far greater than the risk of it crashing your home desktop computer, so these security measures are getting increased attention.
However, this isn’t a reason to abandon ship. Due to the attention paid to bugs and security threats in an open-source ecosystem, a wide range of tools are being developed to detect these threats, and awareness is becoming more widespread among the developer community. Through a combination of security tools and better communication about possible and discovered threats, an open environment can be reliably safe for developers to use as a resource.
Ensuring security in open source
Communicating with the global community of developers is important. Through message boards and other professional communication channels, developers can stay tuned into the conversation around security of the open library. The Sonatype Nexus Repository OSS, for example, is a repository for open code that manages versions to ensure developers have the most up-to-date version. This means security issues identified in previous versions are more likely to have been fixed.
In addition, developers should have tools at their disposal to check for bugs on their own accord. Depending on the programming language you’re using, there are reputable tools out there to use when building a testing framework. The code should be tested continuously to ensure it’s acting as intended.
Open development may not be 100 percent safe in every situation, but no form of development is. Even commercially bought code brings its own challenges and risks. Developers need to conduct their due diligence on code, test aggressively and double-check their work to make sure they’re using an open ecosystem to fast-track innovation without increasing security threats.