In an age when software relies on open source for faster, more efficient development, the debate over whether or not to use it for building applications would appear to be long over. The use of open source components is an established fact, comprising 60-80% of the code base in modern applications. Now the question that organizations are asking themselves is not whether or not to use open source components, but how to use them securely.
Even as there are no fundamental differences in the content of the code, after all, code is code, there is a divergence in how we secure open source components as compared to our practices for proprietary.
The two types of code face different threats, operate in different environments, and require different toolsets in order to keep them secure.
Open Source Vs. Proprietary: The Threats Are Different
Open source components and proprietary code face different kinds of primary threats.
The fearful buzzword of the proprietary world in recent years has been that of the 0-day. These vulnerabilities are so feared because they are unknown and organizations cannot defend against them since they have not yet been reported. Discovery and exploitation of a 0-day in a widely used commercial product like Windows or iOS can be valuable and a significant threat to those proprietary applications.
However, when it comes to open source components, 0-day vulnerabilities are in general a lower priority given our threat modeling when it comes to open source component security. This is because 0-days are fairly specific in what they affect, so discovering and exploiting a single 0-day in an organization’s application is not particularly scalable. They can take months to find and their ROI is highly questionable.
Instead, known vulnerabilities which have been published are (Read more…)
*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Gabriel Avner. Read the original post at: https://resources.whitesourcesoftware.com/blog-whitesource/your-guide-to-open-source-vs-proprietary-code-security