AppSec Security Leaders Share Best Practices for Protecting Open Source Applications
By Kunal Anand
Investigations following the Equifax breach revealed that a vulnerability in the Apache Struts 2 framework was the door hackers exploited to access the private financial data of 143 million consumers. The kicker? Equifax had a patch for the vulnerability two months before the hack, but never got around to installing it.
For whatever reasons—and we know that often deploying a patch is a very complicated process that requires months or preparations—it had dire consequences. But, the fact remains, it’s something that happens in (and to) organizations every day. Many breaches that came before can be (and have been) traced back to latent vulnerabilities in commonly-used open source software (OSS); many more will probably follow.
The Equifax breach is only the latest incident to shed light on the challenges associated with securing open source software. It has resurfaced and renewed an extremely important application security conversation, one that ITSPmagazine, Prevoty, and a panel of security leaders contributed to during a webinar titled: “Application Security in an Open Source World.”
In a poll conducted during the webinar, 75 percent of the participants said most of their enterprise apps rely in part of open source components.
“Speed to market requires that you really can’t move forward without open source. You need it to meet the deadlines that are put on app development teams,” said Andy Wickersham.
“I’ve heard folks suggest that we should stop using open source software. I just don’t see how that’s possible, at least not at a large enterprise,” added Rob McCurdy. “But let’s say you could do that. Is that really fixing the problem? Are you really going to write code that is more secure? Do you have the ability to write 100 percent secure code?”
OSS provides a significant advantage for many organizations. Ready-made software solutions for common computing problems that are available without licensing fees are a benefit for all. But organizations need a new approach to mitigate the risks of incorporating OSS code into their critical applications.
“We need to do a better job of inventory management,” said Kunal Anand. We need better visibility from inside the applications. Dependency checking needs to improve.”
There is no magic wand that can automatically secure applications 100 percent. Still, organizations need to take this risk serious and look at deploying an in-depth defense to fend off potential attacks. To learn what steps security leaders across industries are taking to make sure their applications that leverage OSS are secure, watch or listen to the webinar.
Prefer to see some pretty slides while you listen to the experts? Great! You can watch the webinar on Prevoty's website here: https://www.prevoty.com/webinar-application-security-in-an-open-source-world