The security of Open Source Software (OSS) is a frequently debated topic; questions often arise concerning what role open code plays in accessing systems, which many believe can disrupt the security fabric of the organization. However, this argument is somewhat moot because at this point in the evolution of the software industry, it’s become nearly impossible to create any significant body of software without using at least some open source software. With this said, there’s still a critical security discussion that must continue to happen around application development using a mix of custom and open source code.
Many OSS projects are built around communities of contributors who add updates, supply code, and offer patches within the software development lifecycle (SDLC). Some projects are large scale with corporate sponsors while others draw support from a smaller community with few users. Regardless of the scale of the project, using a combination of open source and custom code significantly increases security risk, management complexity, and opens and organization to a host of other challenges.
However, even given these risks, open source software use has continues to increase dramatically, both in the private and public sector. Using open source helps agencies and organizations cut down on the lifetime of the SDLC and accelerates time to market. In fact, according to Black Duck CEO Lou Shipley, open source can comprise 50% or more of an organization’s, like the federal government’s, code base. Therefore, securing this code is of utmost priority.
Thankfully, government and public sector open source enthusiasts can lay some of their open source security worries to rest. With the recent announcement of Black Duck’s integration of their Hub Solution with HPE Fortify Software Security Center, agencies can be confident that they will be able to spot vulnerabilities in their code and make the right decisions to quickly patch and maintain operational efficiency. This partnership enables organizations using HPE Fortify to detect, prioritize, and adjust known open source vulnerabilities as well as custom code exposures, all through a single view in the HPE Fortify Software Security Center. Government customers can get complete visibility into and control of the OSS that they already use, helping to diminish security risks and speed time to market.
Any organization that uses more than a few OSS components will benefit from better management and security with Black Duck and HPE’s partnership, including cost savings, increased SDLC velocity and flexibility, and increased asset value. Organizations that have not yet implemented an open source management and security program should consider Black Duck and HPE Fortify as a solution to quickly and easily optimize and secure their open source projects. To start accelerating your path to greater open source security by weeks or months, check out this Black Duck Hub and HPE Fortify video and download this whitepaper.