Despite vulnerabilities like Log4j, enterprise use of open source has not slowed, but faults have emphasised the need for a better knowledge of dependencies. Open source’s image in the computer industry has gone a long way. Even in the face of well-publicized open source flaws like Log4j, open source software continues to gain popularity in the workplace, displacing proprietary software. According to Red Hat’s recent State of Enterprise Open Source report, 89 percent of the 1,300 IT executives polled feel open source software is just as secure as proprietary software.
More over three-quarters of respondents stated they have a more favourable view of business open source than they did a decade ago, when open source security was viewed as a flaw. Large open source libraries serve as the building blocks for software development, which is a boon for firms who need to produce software quickly. However, the time saved may cause firms to lose sight of potential vulnerabilities.
The opportunity to employ well-tested code for internal applications, the provision of well-documented security patches, and the fast availability of patches when a vulnerability is discovered, according to the Red Hat analysis, are the top security benefits associated with corporate open source.
“Log4j doesn’t make anyone say they’ll reduce their usage of open source, because the primary reasons for using open source are functionality and the ability to save time and resources,” said Chris Wysopal, the founder and chief technology officer of Veracode. “What people did ask in response was, ‘How can I better manage vulnerabilities? How can I understand what I’m selecting, and why?’”
It’s usual for software to pull in freely available code snippets or dependencies that have already been created, tested, and performed when using open source. This has the benefit of shortening the development life cycle because teams don’t have to rewrite code that already exists.
A good example is Log4j: According to a Wiz and EY investigation, the Java-based logging system is used in more than 90% of all cloud settings. However, once open source is deployed, this might cause issues for enterprise users.
This is a “nested problem,” according to Wysopal, comparable to when automobile manufacturers issue a recall to fix a problem like a faulty airbag inflator. The customer is affected not because they purchased the airbag, but because they purchased the automobile that featured the airbag that the car manufacturer purchased.
Another issue with the SBOM is that it should only change when the underlying product changes, according to Danen. It makes sense to provide a new SBOM after a significant software release, but it would be impossible for vendors to do so every time a vulnerability is patched, especially given the regularity with which low-risk vulnerabilities are corrected.
Despite the security concerns, the open source movement is gaining traction. According to Red Hat, IT directors expect their organization’s share of proprietary software to shrink from 45 percent to 37 percent over the next two years. Enterprise open source adoption is forecast to rise from 29% to 34%, while community-based open source adoption is expected to rise from 21% to 24%.
Open source is commonly used by IT professionals for emerging technology workloads such as artificial intelligence, edge computing, and containers. Part of the reason for this, according to Wysopal, is that businesses have been learning from large-scale security flaws.
According to Wysopal, the Veracode State of Software Security report from a few years ago indicated that 35 percent of code libraries in enterprise open source apps were vulnerable. Then there was the 2017 Equifax data hack, which exploited a Struts 2 flaw. The percentage has now dropped to 10%.