Abstract: The rapid adoption of open-source software (OSS) in enterprise and cloud-native applications has revolutionized the technology landscape, offering unprecedented innovation and agility. However, this proliferation comes with significant security challenges, particularly in managing vulnerabilities within OSS components, including outdated or abandoned ones. We explore the current state of OSS usage in enterprises, the associated security risks, and strategies to address these challenges and why “shift-let” alone is not enough. We also examine how companies like Kosai are innovating solutions to help organizations secure their software supply chains effectively.
Introduction
The digital transformation wave has propelled enterprises toward cloud-native architectures and practices, embracing open-source software as a cornerstone for innovation and efficiency. Open-source software (OSS) offers a collaborative environment where developers can leverage existing codebases to accelerate development cycles and introduce cutting-edge features. However, as OSS becomes increasingly integral to enterprise applications, it brings forth complex security concerns that organizations must address to safeguard their operations and data.
The State of Open Source in Enterprise Applications
Open-source software has become ubiquitous in modern enterprise applications. According to Synopsys’s 2023 Open Source Security and Risk Analysis (OSSRA) report, approximately 97% of the codebases analyzed contained open-source software. Other studies indicate that over 75% of enterprise codebases comprise OSS components, with the average application incorporating over 500 different open-source projects. This extensive adoption is driven by the need for rapid innovation, access to a broad range of functionalities, and the collaborative improvement inherent in open-source communities. This is only accelerated by the adoption of artificial intelligence (AI) co-pilot-like development tools, which have been trained, in many cases, on open-source code.
The surge in technologies like AI, augmented reality, and blockchain has further entrenched OSS in enterprise strategies. These technologies often originate and evolve within open-source communities, making OSS adoption essential for organizations aiming to stay at the forefront of technological advancement. We will be keeping an eye on these developments as we steam towards Salt Lake City and KubeCon CloudNativeCon NA 2024, where there are working groups actively working on AI, with over 20 plus sessions will be held.
Challenges of Managing Open Source Vulnerabilities
While OSS provides significant benefits, it also introduces substantial security risks. One of the primary concerns is the management of known vulnerabilities within OSS components, particularly in outdated or unmaintained projects, a phenomenon often referred to as “abandonware.” In a discussion with Jonathan Simkins, the CEO of Kosai, we discussed (full video below):
- Proliferation of Vulnerabilities: A staggering 84% of enterprise codebases contain at least one known open-source vulnerability. Alarmingly, 74% of these are classified as high-risk, a sharp increase from 48% just a few years prior.
- Abandonware Risks: Approximately 91% of enterprise applications utilize outdated or abandoned OSS components. These components no longer receive updates or security patches, leaving them susceptible to exploitation with no forthcoming fixes.
- Supply Chain Complexity: The extensive use of OSS has complicated the software supply chain, making it difficult for organizations to track, manage, and secure every component effectively.
The Difficulty of Securing Abandonware
Abandonware presents a unique challenge. Unlike maintained OSS projects, where active communities or organizations provide updates and security patches, abandonware needs ongoing support. Organizations relying on such components are left vulnerable, as they cannot expect timely patches for newly discovered vulnerabilities, or they need to spend much of their time patching the vulnerabilities themselves or trying to find other ways to mitigate them.
The difficulty is compounded by regulatory requirements and customer expectations that mandate robust supply chain management and security practices. Enterprises must ensure that every component within their applications, including OSS, meets stringent security standards, a nearly insurmountable task when dealing with unsupported software.
Solving the CVE Problem: Strategies and Innovations
Addressing the vulnerabilities in OSS, particularly abandonware, requires a multifaceted approach:
- Rigorous Security Practices: Organizations must implement comprehensive security policies that encompass OSS. This includes regular code reviews, vulnerability scanning, and adopting a proactive stance on security updates.
- Leverage Commercial Support: Enterprises should engage with vendors offering commercial support for OSS components when possible. This ensures access to timely updates and security patches.
- Utilize Advanced Security Tools: Adoption of Application Security (AppSec) tools designed explicitly for OSS, such as Software Composition Analysis (SCA) tools, can help identify and manage vulnerabilities effectively.
- Establish Open-Source Program Offices (OSPOs): An OSPO can centralize the management of OSS usage within an organization, ensuring consistent policies, compliance, and engagement with OSS communities.
- Community Engagement: Contributing back to OSS projects not only fosters goodwill but can also influence the prioritization of security fixes for components critical to the enterprise.
Kosai’s Approach to Open-Source Security
Kosai emerges as a pioneer in addressing the challenges of securing OSS, especially abandonware. Founded to “unleash the potential of open-source software by giving open-source maintainers the opportunity to live off their work and software developers the opportunity to rely on its security,” Kosai fills the gap between OSS producers and enterprise consumers.
Why Kosai’s Marketplace Approach is Unique:
- Supporting Abandoned OSS: Kosai offers commercial support for outdated and abandoned OSS components, ensuring that enterprises receive necessary security patches and updates even when the original maintainers are no longer active.
- Bridging the Gap: By acting as an intermediary, Kosai facilitates a solid connection between OSS communities and businesses, allowing for better communication, support, and mutual benefit.
- Alleviating Developer Burden: Kosai’s services help shift the responsibility of managing OSS vulnerabilities away from developers, who are often under pressure to deliver new features rapidly. This allows developers to focus on innovation rather than security maintenance tasks.
- Enhancing Supply Chain Security: With Kosai’s support, enterprises can strengthen their software supply chains by ensuring that all components, including those previously unsupported, meet security standards.
Our Recommendations for Enterprises and Vendors
To effectively manage OSS usage and security, enterprises and vendors should consider the following strategies:
- Adopt a Proactive Security Posture: Security should be integrated into every stage of the development lifecycle. This includes adopting DevSecOps practices and ensuring that security is a shared responsibility across teams.
- Invest in Security Training: Developers should receive ongoing training to stay updated on security best practices, emerging threats, and effective use of security tools.
- Implement Comprehensive Tooling: Utilize advanced security tools that provide visibility into OSS components, detect vulnerabilities, and automate remediation where possible.
- Foster a Security Culture: Encourage open communication about security challenges and promote a culture where security considerations are integral to decision-making processes. Saying “shift-left” is one thing but supporting developers it with tools and expertise is a must.
- Regularly Review and Update Policies: OSS usage policies should be periodically reviewed and updated to reflect the evolving threat landscape and technological advancements.
Our Perspective
The integration of open-source software into enterprise and cloud-native applications is both a boon and a challenge. While OSS accelerates innovation and development, it also introduces significant security risks that cannot be ignored. Enterprises must adopt comprehensive strategies to manage these risks, particularly those associated with outdated or abandoned OSS components.
Vendors, like Kosai and others, play a crucial role in bridging the gap between OSS maintainers and enterprise users, providing support where none existed before. By leveraging such partnerships and adopting best practices in security and OSS management, enterprises can harness the full potential of open-source software while maintaining robust security postures.
The ability to innovate securely is paramount in the rapidly evolving digital landscape. Enterprises that effectively navigate the complexities of OSS security will be better positioned to capitalize on technological advancements and maintain a competitive edge.