Although cyber-attacks and data breaches on networks and devices are now commonplace, for many organisations security remains a low priority in many organisations, writes Joe McManus, Director of Security at Canonical, the company that publishes Ubuntu OS, among other software.
The saying is true, it is not if you will be hacked, but when. This can be down to a number of reasons, ranging from a lack of skills within the organisation – with unfilled cybersecurity jobs expected to reach 1.8 million in two years – to simple ignorance and a lack of training. It seems as though we have not learned from the past. Organisations seem destined to repeat mistakes from the past. We still common misconfiguration and lack of applying patches as a major vector for cyber breaches.
A major challenge is that engineering groups have not incorporated security into their software development lifecycle (SDLC). Furthermore, rarely has the security team been included in the early stages of development to the threat model and if they are, the model is not updated as feature creep expands the threat surface of the application. . However, the cybersecurity tide is turning, no longer is the security group seen as a roadblock to production but rather a trusted advisor that can ensure projects succeed in the current threat landscape. More businesses are realising they need to include security higher up the agenda.Implementing it early on in projects, monitoring it throughout development, and patching it throughout the software lifecycle are all becoming more of a priority.
And for good reason. The cyber-security threat level is more serious than ever, especially with heavier regulations like GDPR and their financial ramifications putting greater pressure on businesses to keep data safe. Businesses run the risk of receiving heavy fines and reputational damage that can cripple a business of any size.
With organisations looking to reduce security risks as much as possible, one unsung and often under-celebrated hero of the security world is the ever expanding developer community behind open source projects, which acts as a constant troubleshooter for free open source software.
You don’t need to look far within the enterprise world to see the the rise of open source, fuelled by a number of well-documented advantages including accessibility and innovation. Businesses across a whole host of industries, including the likes of BT, Netflix and Bloomberg, have all leveraged open source to power new IT projects, centred around new technologies like AI and machine learning, IoT and the cloud. However, the benefits most commonly associated with open source are those mentioned above, with security rarely being the primary factor in moving towards open source. There’s also a clear lack of understanding around how it can assist with mitigating security and compliance risks.
Nearly every software project will have a security issue at some point in its lifetime, and open source initiatives drive collaboration between developers and companies to pool resources and react quickly to remove vulnerabilities. Take Kubernetes as an example. Initially developed as an internal project by Google, the cloud container coordination platform has since become one of the largest open source projects in the world. This is in part due to the fact that it benefits from a strong and passionate open source community which plays a significant role in its ongoing development and security.
Big communities like Reddit, Stack Overflow and Github were established to support a long-term commitment to a secure and robust Kubernetes ecosystem.There are a number of examples of these community ecosystems identifying and fixing vulnerabilities. Last year, an audit from the Cloud Native Computing Foundation revealed 34 vulnerabilities in Kubernetes code, 19 of which it ranked as of either medium or high severity. Similarly, last year saw two further noteworthy examples of this community-based security movement in action. Developers working for startup OpenZeppelin found vulnerabilities in Move, a scripting language developed by Facebook for the open-source Libra cryptocurrency project. Google also urged users to update Chrome after a high-severity vulnerability in an open-source browser engine was found by security researchers last August. This spirit of making open source more secure is furthered by companies like Synposis who offer free static analysis of open source projects through their Coverity cloud platform.
New and emerging technologies like AI, 5G or cloud computing have created an environment for open source to flourish – providing a platform for fast adoption and sky rocketing innovation. As open source adoption has gathered pace, so too has the surrounding community. This has fostered further collaboration to ensure its robustness and helping to dispel any historical concerns around security. The community around open source fundamentally makes it more open and security-compliant compared to closed back-end software, where it is impossible to confirm all background activities and analyse the reasons behind issues and errors. Open source facilitates a collaborative community to work together to pinpoint and remediate problems within the software, and to troubleshoot issues with emerging technologies. With sustaining impenetrable security now a top priority, the open source community serves organisations as an unsung extra layer of security.