Open Source Observations from RSA


March 19, 2014 By Karen Gardner

Wow – have 2 weeks already passed since RSA? Before we get too far out from the event, I thought I’d share a few observations …

At an event covering Security of all types, where Application Security as a very small subset and Open Source Security is an even smaller subset – I was impressed with the growing awareness of both the value and risk associated with open source components in application development.

As I talked with folks concerned about Application Security, many were aware of the fact that a large percentage of their applications are assembled from open source and third party components. (In fact, research shows that this can be 80-90% of the typical application.) Unfortunately, most have not taken notable steps to address this concern – and, if they have, it is done in a way that disrupts the speed and agility of application development processes.

Virtually everyone I spoke with has taken steps to identify security flaws in their Source Code with tools like SAST and DAST. But very few even had the visibility into what components were used in each application, let alone if those components brought with them security or license risk. As a result, there was a lot of interest in the partnership Sonatype announced with HP (see the Forbes article) to integrate Sonatype’s Component Lifecycle Management (CLM) analysis technology into HP Fortify on Demand. Now HP Fortify on Demand customers have access to an Open Source Application Scan using the Sonatype CLM analysis technology from directly within the Fortify on Demand user experience.

Of those who had taken steps to address the open source risk, most were starting with an Open Source or FOSS Review Board to approve components for use in application development projects. However, few felt confident that they could enforce their policies across the application development lifecycle. In fact, one CISO rushed to our booth immediately after Ryan Berg, Sonatype’s CSO, presented his session ‘The Game of Hide and Seek, Hidden Risks in Modern Software Development’ stating “I just started my FOSS review board and I think I’m on the wrong path.” The reality is that a lot of manual effort goes into the FOSS Review Board and developers simply can’t wait days or even weeks for approvals. And if they have to wait they will probably find a way to work around the system.  Then what happens when an approved component goes bad – new vulnerabilities are announced daily. If you are in this boat, you may find this webinar of interest to learn how automated policies can guide and govern component usage across the software lifecycle while speeding development efforts.

The final thought I want to share is related to software liability. As I listened to Josh Corman, Sonatype’s CTO and Jake Kouns, CISO or Risk Based Security speak on this topic at RSA, I was struck that the most basic form of negligence is not knowing what is in your software. So if you are a Fortify on Demand customers, try the Sonatype Open Source Application Scan and if you aren’t take Sonatype’s complimentary Application Healthcheck to get a view to the visibility that Component Lifecycle Management (CLM) will provide to help you start on your journey towards end-to-end application security.