At the RSA Conference 2020, Brittany O’Shea, Senior Product Manager, Veracode presented Veracode’s findings when it came to securing open source code. O’Shea talked with Enterprise Times to give more details about the problem.
One of the challenges of open source is dealing with myths. We have moved away from the belief that all open source is bad. We’ve seen vendors build enterprise versions of projects that raise the quality and security bar. However, despite the number of people looking at the code, there is still a lot of misunderstanding as to whether it is secure.
ET asked O’Shea about this and why we were still struggling to improve the security of open source code. O’Shea said: “I find it really interesting when people make the assumption that open source is secure.” She continued: “While open source has been a great way to innovate from a code perspective, we’ve still propagated the same security risk that we have seen in proprietary code for many years.”
O’Shea also commented that: “We find they are more likely to have vulnerabilities because there is no single source of ownership?” Adding to the problem is that many open source libraries pull from other libraries. This buries vulnerabilities many levels deep. O’Shea talked about what organisations need to do to address this issue.
There was also a discussion on better use of bill of materials and, more importantly, the need for companies to establish their risk appetite for using open source. O’Shea concludes with four things CISO’s can do to improve the security of the code they are using.
To hear what else O’Shea has to say, listen to the podcast
Where can I get it?
obtain it, for Android devices from play.google.com/music/podcasts
use the Enterprise Times page on Stitcher
listen to the Enterprise Times channel on Soundcloud
listen to the podcast (below) or download the podcast to your local device and then listen there