Nowadays, open-source components such as libraries, frameworks and other software modules dominate the enterprise. Free and open-source software (FOSS) serves as a fundamental building block for many technologies. Developers no longer write application software from scratch. Instead, they rely on third-party libraries and their dependencies to quickly build required functionality. These libraries lower development costs, allow re-use of components and provide ease of integration and scalability.
Use of these components has increased significantly over the last decade, enabling developers to accelerate innovation. However, not all developers create third-party software with security in mind, frequently resulting in weaknesses and vulnerabilities. This becomes especially worrisome in federal government environments—along with much of the commercial world—where data protection continues to grow as a critically important security concern.
According to Sonatype, a company that specializes in managing open-source components, nearly 80 percent of a typical application’s code consists of open-source components with no formal processes in place for monitoring and managing their use. Components run with the full privilege of the application; a single vulnerable component can compromise confidentiality, integrity and availability of the system and its data.
Reduce risk with a TPM program
To minimize risks associated with open-source components, an organization must implement a third-party management (TPM) program. This program, intended to manage third-party software and its components, seeks to prevent supply chain disruptions, security breaches and reputational damages and penalties.
Consider these five best practices and recommendations to enhance your TPM program:
- Create and enforce policy: Establish a detailed usage policy and enforce it company-wide. A surprisingly large number of organizations lack procedures and policies that can help mitigate risks associated with the management of third-party components. We strongly recommend you have a single committee, or even an individual person, to oversee open-source software usage. This safeguard helps prevent developing a siloed approach, which quickly leads to redundancy, waste of labor and time and a partial, non-holistic view.
- Implement a standardized process: Another protection against developing silos: Establish a single TPM process and require it across the organization. Make sure to identify a well-defined, consistent process and use it across all departments.
- Take an inventory: Before you can manage what you have, you must know and understand just what it is. Follow the best practice of implementing a centralized binary repository manager--software that maintains an inventory of all open source components used within an organization, as well as licensing details, version updates and patching processes.
- Conduct frequent security scans: As a best practice, we recommend running a security scan on each release of open-source software. This helps accurately determine the security posture of the system, and can also identify outdated versions and changes to licensing agreements.
- Update promptly: Whenever new vulnerabilities are reported—whether from your own scans or from outside organizations—apply updates and patches quickly, or conduct manual fixes if necessary. Do this to all applications that use libraries or frameworks from affected open-source projects. Acting quickly helps keep you ahead of malicious actors.
We recommend you conduct regular security assessments of open source libraries. CGI’s Open Source Components Assessment (OSCA) offers full-spectrum security analysis of source components and their dependencies. OSCA combines dynamic runtime analysis and static code review with the goal to determine which components and versions are affected by any security vulnerability and the resulting impacted applications.
Open-source components play a key role in modern software development. They enhance agility, speed up modernization of legacy systems and facilitate faster completion of change requests. Security risks, associated with open-source components, become manageable when you have a robust TPM program in place.
For more on CGI’s innovative approach to technology, explore our Digital Transformation information.