Open source software (opens in new tab) is everywhere. It is pervasive, in every sector, with 99% of software projects containing an open source component. And the reason is that open source is an enabler of innovation. It helps developers collaborate and build better software, faster. Innovation is table stakes for every industry and developing software that can help businesses thrive is an imperative, not a nice-to-do.
Nigel Abbott is Regional Director North EMEA at GitHub (opens in new tab).
Added to that, at risk of stating the obvious, security (opens in new tab) is a major - and urgent - priority. A recent PwC report reveals that, in part due to the rapid shift to digital technologies expedited by the pandemic, security has taken on a new emphasis. It found that 50% of UK organizations said “cybersecurity (opens in new tab) will be baked into every business decision”.
With companies turning to open source in huge numbers to spur innovation, while ensuring this is done securely, it therefore seems counter-intuitive that there is still a misconception that open source is less secure than proprietary software because it is open to anyone that wants to use it.
However, as recently as last year Red Hat research showed that the biggest barrier to enterprise adoption of open source is perceived security issues.
In reality, this couldn’t be further from the truth.
Open source security
In fact, further research from this year actually found that security is regarded as a top benefit for enterprises using open source. The open source community’s collective responsibility for developing and maintaining secure code makes it more securable than proprietary code, not less. With open source not only are there more developers involved in identifying and fixing security issues, but they are eager to advertise their contributions and incentivized to find and fix flaws before going live. The adage that “many eyes make for shallow bugs” really rings true.
Whether businesses know it or not, they are almost definitely using open source in their development process. It’s vital that they know what software their organization is consuming, and embrace enhancing the security of their entire operation - and putting in place the right development processes to support them.
While open source offers major security advantages, it is true that organizations can take a more progressive approach to integrating security into open source development, and increase their speed of innovation in the process.
When businesses take the mindset decision to adopt an integrated approach to open source security, they put themselves in the driving seat. Putting in place a progressive and inclusive inclusive “DevSecOps” process – that is, integrating security into every step of the DevOps (opens in new tab) journey rather than bolting security on to the end of the development cycle – means they are not only in a better position to protect the entire business, but productivity (opens in new tab) and efficiency increase markedly. For example:
- Sophisticated DevSecOps tools allow enterprises to scan code as it’s created to get accurate, actionable security reviews within the developer workflow. And it is not just open source code that is put under scrutiny - their own in-house code is also scanned.
- Security issues are revealed in pull requests as part of the code review process, preventing new vulnerabilities. It is easier to identify high-priority, exploitable security issues in your code, and you can view your exposure across your codebases and focus on the vulnerabilities that matter. This is vastly superior to simply tacking on a security review process at the end, which slows development down and makes it more costly to fix security vulnerabilities.
- It is simple to create custom queries to easily find and prevent variants of new security concerns and you can integrate third party scanning engines to view results from all your security tools in a single interface - and export results through a single API.
- And importantly, fully embracing the open source security tools available delivers developers what they want. As well as the tools increasing productivity, developers thrive in a shared community culture. They want to solve problems with like-minded developers, upskill and learn. Open source provides that shared purpose and community.
Open source should be viewed as a route to helping organizations boost software security. But there is much more to be gained from a forward-looking DevSecOps strategy. A progressive and integrated approach to security helps organizations make a cultural shift that increases transparency, makes problem solving easier and boosts collaboration (opens in new tab). As well as protecting a business, it can rapidly increase the pace of innovation.