How to track and secure open source in your enterprise

Your developers are using open source — even if you don't know about it. Here's how to take control and why you need to.

controlling privacy

Recently, SAS issued a rather plaintive call for enterprises to limit the number of open source projects they use to a somewhat arbitrary percentage. That seems a rather obvious attempt to protest the rise of the open source R programming language for data science and analysis in a market where SAS has been dominant. But there is a good point hidden in the bluster: Using open source responsibly means knowing what you’re using so you can track and maintain it.

Most enterprises aren’t aware of how much open source their developers use and what vulnerabilities that might expose them to. You can’t do security assessments or patch management on open source projects you don’t know you’re relying on.

Sonatype’s 2016 software supply chain study found that third-party components comprise eighty to ninety percent of the code in a typical enterprise Java application — and one in sixteen of those components that enterprises download has a security vulnerability. Older components have three times as many security flaws as newer versions, and over half of the components used in enterprise apps are over two years old. Two years after the Heartbleed bug was found, more than half of the OpenSSL versions Cisco Security Research tested in 2015 were still vulnerable.

In 2014, Veracode found that open source and third-party components used in enterprise web applications introduced an average of 24 known vulnerabilities into each of the 5,000 applications it scanned.

“Even software companies that already know they’re using open source code may need tools to manage that better. Enterprises rarely know just how much open source they’re using,” Rami Sass, CEO and co-founder of open source monitoring and management service WhiteSource tells  “Enterprises like banks, financial services companies, media companies have large software engineering departments these days. They’re often surprised to find out how extensive their use of open source is and how little of that their manual inventory processes have been tracking. On average, they find three times the number of components they thought they had. Sometimes it’s as high as 10 times.”

To continue reading this article register now

7 hot cybersecurity trends (and 2 going cold)