Much like propriety software, open source has plenty of positives and negatives. When making a decision between one or the other, it’s essential that business owners and IT professionals separate the myth from the truth.
According to ZDNet, some of the open source security risk myths include the belief that open source is less secure than proprietary, that the source code can be changed by sinister characters making it less secure or that open source vulnerabilities exist because there is no development standard. A 2015 open source survey found that about 78% of businesses use open-source software, but few have formal processes in place to track the code and remedy known vulnerabilities.
Risk management: What to look out for
Every organisation employing open source software must do so with security and risk management in place. Here are a few tips to keep your company safe.
Avoid ad-hoc installations: Any open source installations must be properly managed, updated and maintained.
Only download software from trusted sites: Downloading anything from a site you don’t know could open your business up to unnecessary risks.
Favour source code over binaries: It’s best to download the source code as binaries may not have been compiled using the authentic source code.
Take the time to train users properly: Those responsible for maintaining this software must keep an eye out for any open source security announcements, meticulously install patches and carry out necessary software upgrades.
Security risk analyses: six types of testing to do today
They say prevention is better than cure. One of the best ways to ensure that your business is secure, is to conduct regular open source audits and running regular security tests. The Open Source Security Testing methodology manual outlines seven security scans and assessments all enterprises using open source software should be doing:
1. Vulnerability Scanning: Systems are scanned against known vulnerabilities.
2. Security Scanning: Automated or completed manually, this test aims to identify any network and system weaknesses.
3. Penetration testing: Put your network’s defences to the test and reveal exploitable system vulnerabilities before hackers find them.
4. Risk Assessment: Identifying any risks and classifying these as Low, Medium or High.
5. Security Auditing: As is the case with a regular audit, a security audit entails carefully inspecting all business systems and apps to detect weaknesses.
6. Ethical hacking: This type of hacking is done to detect potential system flaws.
Directly or indirectly, open-source is undeniably having a significant impact on every aspect of IT. Working collaboratively with open communities while managing the risks, is therefore becoming a core skill needed for any company to be a success in the 21st century.
At Evolv Networks, we believe that an Open Source Risk Management Strategy, supported by the key stakeholders in the business, can safely support the inevitable adoption of open source.
Together, we can make the web more secure for your company.