Open source software continues its meteoric rise, as more and more large enterprises weave open source code into various areas of their operations, increasingly shunning the big-name, proprietary software vendors.
In fact, according to open source software development company, Sonatype, represented locally by 9TH BIT Consulting, 7,000 new open source software projects kick-off around the world every week, while 70,000 new open source components are released. Accessing this massive ‘hivemind’ of software development expertise is a highly attractive prospect for CIOs and business managers in all industries.
Open source promises relief from vendor lock-in and exorbitant software costs, offering simpler and less expensive licensing models, abundant support and high-quality code that has been thoroughly stress-tested ‘in the wild’.
But, of course, there’s a catch. It’s estimated that one in 16 open source software components has security vulnerabilities, Sonatype states in its “State of Software Supply Chain” report. The study also affirms that between 2014 and 2017, there was a 50 percent increase in breaches that were either suspected to be, or proven to be related to open source components.
In an era of rapidly-escalating cyber-threats, this poses a huge problem for businesses considering a wholesale embrace of open source.
The challenge is to find innovative ways of harnessing the power of open source, while retaining strict security controls – ensuring that any vulnerabilities do not infect or penetrate the broader software development lifecycle.
What to look for in your development platform
Firstly, it’s crucial to establish security standards and policies that meet your specific business goals, risk mandates, or regulatory compliance requirements. Depending on the type of organisation, these policies will look very different.
Across the entire DevOps value chain, these policies will need to be met – for every software component, used within any of the myriad of development tools that you may use.
Your software development platform should certainly have an impenetrable firewall which analyses every aspect of each component before it fully enters the DevOps value chain, quarantining and rejecting anything suspicious or anything contra to your security policies.
In fact, these components need to be continually and thoroughly re-checked against agreed policies on a regular basis. These repository ‘healthchecks’ show the issues that are in greatest need of remediation, or pose the most severe risk (allowing you to prioritise your next actions).
Your platform should also include component intelligence services which help developers to better understand the risks and threats, and ultimately make safer component selections from the very beginning.
It should also give you realtime visibility over the entire DevOps value chain and software lifecycle, showing all of the components that are in-use, clearly mapping their interdependencies and relationships.
Open source software has tremendous application in modern-day software development, allowing staff to focus on the ‘differentiators’ (the bespoke code which becomes the organisation’s strategic asset), while building highly-automated, DevOps-style software delivery practices for everything else. However, to ensure success, CIOs need to place a concerted focus on security, borne out through a robust and intelligent digital development platform, to unleash the true power and value of open source.
By Barry de Waal, chief executive of strategy and sales at 9TH BIT Consulting