<img alt="" src="https://secure.leadforensics.com/149263.png" style="display:none;">

Managing Application Dependency Risks in Open-Source Libraries

Posted by Brenda Barrioz on Dec 26, 2019 4:19:51 PM

Open-source libraries and frameworks are quickly rising in relevance in enterprise code bases.

Today, nearly every system or service users engage with contains references to open-source code. A staggering 78% of companies are utilizing open-source software in their operations, with a mere 3% opting to remain fully close-sourced.

Open source will continue to dominate as interoperability and containerization become commonplace in enterprise software development. This could raise major security concerns, however, as open-source code may potentially create dependency risks when integrated into enterprise production environments.

What are the ways enterprises can work with open-source code while eliminating dangerous dependency risks?

The Growing Popularity of Open Source in Enterprises

Open source adoption in the enterprise space has increased significantly, particularly over the past decade. In 2017, only 32.7% of developers say they contribute to open-source projects. That number has risen to 65% in 2019—nearly a 100% increase in less than two years.

In another similar survey conducted by Red Hat, 950 IT leaders from all over the globe say open source is an integral component of their organization’s enterprise IT architecture and strategy as a whole.

 

 

 

The importance of working with open source among enterprises (Image Source).

The same survey also shows that enterprises are showing no signs of slowing down in terms of working with open source. 68% of organizations have ramped up open source integration efforts over the last year while 59% expect to continue to do so in 2020 and beyond.

So, what’s driving this trend?

Collaborative innovation in enterprise development is a key factor. One of the pillars of achieving collaborative innovation success is to work more with open-source code to enable agile software development.

This growth is further boosted by significant paradigm shifts in software development including the practice of continuous integration and continuous delivery (CI/CD).

CI/CD is popular as organizations can write code and continuously and seamlessly deploy it to other business platforms in one shot through automation. Containerization is another important contributor thanks to the popularity of DevOps in enterprises.

The Hidden Dependency Risk in Open Source

Enterprises do not usually use an open-source tool in its entirety. Instead, they take one or more of its components and integrate it with their existing codebase. It’s clear how security risks can crop up due to these small dependencies in open-source libraries and frameworks.

When hundreds of open-source dependencies are used, enterprise teams struggle to keep track of each one. This leads to confusion among developers as they don’t fully understand what open-source components are in use, where they are, and how they’re being used.

Open-source dependencies can also lead to devastating security breaches when attackers exploit vulnerabilities in commonly used open-source libraries or frameworks.

This was the issue that led to the massive Equifax data breach of 2017, when developers failed to patch a known vulnerability in Apache Struts, a Java-based open-source web application framework.

Developers and organizations need to understand what open source packages are being used and their security standards and risks. Not doing so increases the risk of losing millions to penalties (e.g. GDPR fines) and lost business due to disgruntled customers in the event of a data breach.

How to Manage Dependency Risks When Working with Open Source

1. Work with Established Open-Source Libraries

Enterprises should only work with established, well-documented open-source libraries. Working with new open-source projects can provide a significant first-mover advantage, but, the risks that come with this are just not worth it.

Established tools like Docker, MongoDB, and Drupal are popular for a reason. They provide enterprise-grade performance while guaranteeing watertight security through extensive code audits and technical documentation.

The community surrounding popular open-source tools is also passionate enough to spot any errors in the code before they become a major issue. With massive investor funds and the pressure of the world’s biggest companies using their services, established open-source projects will do everything in their power to secure APIs and dependencies to safeguard their enterprise clients.

2. Vet the Source Code

Internal development teams should assess the source code of any open-source software first before using its components. The source code analysis should be able to tell organizations whether the open-source tool of choice is:

Written to scale efficiently to accommodate enterprise workloads

  • Secure enough to deal with sensitive business data
  • Structured and commented appropriately to ease code modification

If enterprises don’t have the capabilities to vet open-source code, consider engaging a third-party firm to do the job.

3. Check If Open Source Is the Best Solution

Following from the point above, analyzing open-source tools beforehand gives organizations an idea of whether it is the best solution for their business use case.

Just because a tool is trending, it doesn’t mean enterprises must work with it. Businesses may even uncover closed-source or internal solutions that provide as much value as open-source software without the risks that come with it.

4. Use Testing Environments

Enterprise systems go through multiple development stages before they reach end-users. A common structure used in enterprises is to have a development, testing, staging, and production environment for code deployments.

Newly-acquired open-source tools should be tested in the development and testing environments first to ensure they work as expected. If any vulnerabilities are detected, developers can safely find a solution without affecting customers and sensitive data.

5. Make Use of Software Dependency Discovery

Open-source dependency vulnerabilities happen because enterprises have no clue what applications they’re running in the first place. Even if the vulnerability is detected, getting to the root of the problem is difficult if development teams don’t have a clear, complete overview of their software dependencies. It’s like finding a needle in a haystack in the dark.

This is where having a dependency mapping tool matters. With Dependency Discovery, enterprises can easily identify open-source dependencies in their IT infrastructure.

 

Not only does this mitigate external dependency risks, but it also helps developers integrate open-source applications more efficiently, which leads to increased business performance and improved software collaboration.

Topics: Enterprise Architecture, Kanban, docker, IT Atchitecture, Devsecops, opensource, servicenow, dependency Discovery