Tag Archives: Source

Open Source Flaw Management Shows Signs of Improvement: Report | Software


By Jack M. Germain

Apr 30, 2019 1:16 PM PT

Almost two years after the infamous
Equifax breach, many organizations still struggle to identify and manage open source risk across their application portfolios.

Meanwhile, the latest report tracking open source security shows a 40 percent rise in the average number of open source components detected in each codebase analyzed. The scanned software includes commercial applications.

Black Duck by Synopsys on Tuesday released its annual Open Source Security and Risk Analysis, which examines the open source audit results of scanned codebases to identify insightful trends and patterns in open source usage. The report also looks at the prevalence of insecure open source components and software license risk.

Titled “Understanding Open Source Risk and Why It’s So Important to Manage,” the report compiles research backed by the
Synopsys Cybersecurity Research Center (CyRC). It provides an in-depth look at the state of open source security, license compliance and code-quality risk in commercial software.

The CyRC Belfast team examined findings from the anonymized data of more than 1,200 commercial codebases reviewed by the Black Duck Audit Services team in 2018. The 17 industries represented in the report range from aerospace to virtual reality. The audit services team reviewed an average of 71 codebases per industry during 2018.

The continued growth of open source components in commercial codebases is mitigated by the report’s finding that many of open source vulnerabilities detected were first disclosed more than a decade ago.

The percentage of codebases containing vulnerable components has decreased, the report notes. The percentage of codebases containing license conflicts also has decreased.

The least surprising trend identified is that open source adoption has continued to rise, and the majority of codebases contain more open source than proprietary code, according to Tim Mackey, senior technical evangelist at Synopsys.

“One trend that is concerning is that the majority of codebases (60 percent) contain at least one vulnerable open source component, and 40 percent contain at least one high-risk vulnerability. Similarly, open source license compliance continues to be a challenge, with 68 percent of codebases containing some form of open source license conflict,” he told LinuxInsider.

Results Highlights

Audits found open source in more than 96 percent of codebases scanned in 2018. That percentage is similar to the figures from the last two OSSRA reports.

Most of the codebases that contained no open source consisted of fewer than 1,000 files. More than 99 percent of the codebases scanned in 2018 with more than 1,000 files contained open source components.

In most industries, the year-to-year difference in the percentage of codebases containing open source was negligible, according to the report. The audited codebases generally were from companies whose business is building software rather than from enterprises for whom software supports their main business.

The audits found, on average, 298 open source components per codebase in 2018 versus 257 in 2017. Open source represented 60 percent of the code analyzed in 2018, up from 57 percent in 2017.

“The main takeaway from this report is that the security and license compliance risk associated with the use of open source is very real, but it is the risk that can be managed with a proactive open source governance policy, automated tools like software composition analysis and an effective patching strategy,” said Mackey.

Encouraging Indications

This year’s report shows signs of an improving situation. There definitely are encouraging data points suggesting the industry may be turning the corner in terms of organizations’ ability to manage open source risk, noted Mackey.

For example, while 60 percent of codebases contained at least one vulnerable open source component, that number is down significantly from the 78 percent observed in the 2018 OSSRA report, he said. Likewise, the 68 percent of codebases containing some form of open source license conflict is slightly better than the 74 percent seen in last year’s report.

“This is a good thing, as it shows how teams are continuing to leverage open source to accelerate innovation,” Mackey observed, “but more open source also means more open source risk that needs to be managed.”

Enterprise IT and corporate security workers should not be concerned that the rise in open source code may create greater security risks, suggested Tobie Langel, principal at consulting firm
UnlockOpen.

“There is no reason to believe that open source software is inherently less secure than closed source software,” he told LinuxInsider. “However, when a security issue is found in open source software that is used across the industry, the impact can be greater, as it is ubiquitous.”

Sustaining and securing open source is the industry’s biggest challenge right now — but open source also is where the most innovation is happening.

“I am confident we will get there,” Langel said. “Open source is by far the most effective means of building software and innovating at scale, once we find the right set of solutions to provide long term maintenance. It will also be the most secure solution by far.

Common Code Risk Critical

Numerous components were commonly used across different codebases, researchers found. For example, jQuery, open source software using the permissive MIT License, was found in 56 percent of the scanned codebases and in virtually every industry covered in the OSSRA report.

Other notable open source components found in the scans include Bootstrap, an open source front-end Web framework; jQuery UI, a curated set of user interface interactions, effects, widgets and themes built on the jQuery JavaScript Library; and Font Awesome, an open source font and icon toolkit based on CSS and LESS.

Despite using so much open source, few companies accurately track the components they use in their code. Most lack the policies, processes and tools to keep up with the choices made by their developers, according to the report. As a consequence, all the good functionality that comes with open source also brings along a variety of risks.

“Open source libraries are a double-edged sword,” remarked Manish Gupta, CEO of
ShiftLeft.

Widely used open source software tools are generally more stable and more robust than custom code, he told LinuxInsider, because they are deployed in a variety of environments and have been battle-tested.

Bugs and vulnerabilities potentially are reported and fixed much faster than in custom-code that is leveraged by only one organization. However, the documented system of CVEs means that attackers know how your libraries are vulnerable, Gupta cautioned, and they can create an exploit much more easily.

“This means that consumers of OSS must stay on top of patches, which is not always easy to do,” he said. “The security industry hasn’t provided effective solutions to the developers to deal with this dilemma. The tools merely tell developers which OSS libraries being used are vulnerable.”

Clarifying Risk From Use

A key takeaway in the report is the care it takes not to mischaracterize the findings as an attack on the use of open source technology itself. Open source is not less secure than proprietary code. Nor is it more secure.

All software has weaknesses that are potential vulnerabilities, whether the code is proprietary or open source, the report warns. Organizations that use open source must identify and patch.

That management process is challenging, since most organizations have thousands of different pieces of software, ranging from mobile apps to cloud-based systems to legacy systems running on-premises. Software in general is a mix of commercial off-the-shelf packages, open source software and custom-built codebases — and vulnerabilities affect all of them, the report emphasizes.

“The use of any software comes with inherent risks, but open source software presents a few unique challenges,” said Mackey.

The first challenge concerns license obligations that can be opaque and easy to overlook compared to commercial software. The second challenge is the responsibility for identifying and patching open source security vulnerabilities, which falls solely on the organization using the software.

“Commercial software vendors can proactively urge, or in some cases, force their customers to update or apply security patches,” Mackey said. “Managing open source security and license risk should be viewed as an accepted cost of otherwise free open source software.”

Attack Vectors Persistent

An alarming number of companies fail to patch the software they use, whether proprietary or open source, the report said. That makes them targets.

Unpatched software vulnerabilities are one of the biggest cyberthreats organizations face. Unpatched open source components in software add to security risk. Certain characteristics of open source make vulnerabilities in popular components attractive to attackers.

Makers of commercial software can push fixes, patches and updates to users automatically. Open source has a pull support model. That makes the users responsible for keeping track of both vulnerabilities and fixes for the open source software they use.

The pervasiveness and ubiquity of open source pose management tasks that extend far beyond many organizations’ capabilities, as they do not do manual tracking of components, their versions and their vulnerabilities, according to the report.

Assistance Required

Organizations using open source must establish management strategies to identify and patch known vulnerabilities in open source components, notes the report. Vulnerabilities are disclosed through sources such as the National Vulnerability Database (NVD), mailing lists, GitHub issues and project homepages.

The widespread use of open source makes it imperative for organizations to keep accurate, comprehensive and up-to-date inventories of the open source components used in their applications. An incomplete inventory makes it extremely difficult to maintain adequate software asset management procedures, according to the report.

The increase in open source vulnerability age, despite a decrease in the number of codebases containing open source vulnerabilities, is interesting, said Synopsys’ Mackey, “but our audits often reveal that organizations are tracking less than half the open source in use. You can’t patch what you aren’t aware of.”

Sample Solutions

One solution for organizations using open source code is to tap into readily available sources tracking vulnerabilities, suggested Gabriel Bianconi, founder of
Scalar Research.

“Large projects often have mailing lists announcing bug fixes and vulnerabilities,” he told LinuxInsider. “There are several vendors providing software to monitor security risks in open source libraries and dependencies used by your company.”

More often than not, the biggest problem is that the company is using an outdated version of the codebase that does not contain the latest security patches.

“Professionals must ensure that their dependencies are consistently updated,” Bianconi said.

Breaking Breaches

“POODLE,” “Heartbleed” and “Spectre” are not just cute monikers for security vulnerabilities. They are very real and potentially dangerous holes, noted Steve Tcherchian, chief product officer at
XYPRO.

When an application vulnerability is identified, it typically is followed by a patch or new version to remediate the vulnerability, he explained, and with the proliferation of free and open source software, this activity becomes critically important.

“Oftentimes procrastination takes over, and the application is not timely patched for a variety of reasons,” Tcherchian told LinuxInsider. “This now leaves the application wide open to a published, and in most cases, publicized vulnerability.”

As for how to change the mentality within a development organization to be more security-focused, education and reinforcement are key, Tcherchian said.

“Security cannot be left for the end. Introduce security into your development processes early and re-introduce them often,” he added.

More Action Needed

The report cites a conclusion by the U.S. Senate Permanent Subcommittee on Investigations declaring that Equifax’s lack of a complete software inventory was a contributing factor to its massive 2017 data breach.

A number of reliable strategies exist to ensure that open source components used in applications are up-to-date with crucial patches applied, noted Matt Wilson, chief information security advisor at
BTB Security.

“The good news is that they aren’t terribly complicated. What is important is that teams are aware of what you run in your environment, which can be hard for less mature organizations,” he told LinuxInsider.

The process involves maintaining awareness of updates to the code you run, applying patches as quickly as possible, and ensuring you conduct regular testing of your application/environment as a catch-all, Wilson explained.

Several industries, such as government, healthcare and automotive, have started to adopt standards that require organizations to inventory and track their use of open source components in a software bill of materials, according to Synopsys’ Mackey.

“This is a good first step,” he said. “After all, you can’t manage risk you don’t know exists.”


Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open source technologies. He has written numerous reviews of Linux distros and other open source software.
Email Jack.





Source link

Black Hole Image Has an Open Source Connection » Linux Magazine


Last week the whole world was stunned by seeing what was unseen – a black hole. Scientists were able to create picture of a black hole named Messier 87 in the Virgo A galaxy. The black hole is more than 55 million light years away.

The first image of a black hole is the outcome of the Event Horizon Telescope (EHT) project, which created a virtual telescope as big as earth by networking 8 ground-based telescopes. The telescopes generated more than five petabyte of data. Collecting data was the first part of the puzzle. The team of scientists used various algorithms to fill gaps in this data to be able to generate an image of the black hole.

TFIR reports that the team of scientists used three imaging algorithm for image processing, and two of these were fully open source Python libraries – Sparselab and ehtim.

Sparselab is a Python Library for Interferometric Imaging using Sparse Modeling.

ehtim is a Python module for simulating and manipulating VLBI data and producing images with regularized maximum likelihood methods.

The source code of these libraries is published on GitHub under GNU GPLv3 licenses.



Source link

Chef Goes All Open Source » Linux Magazine


The Chef automation tool, a popular solution for DevOps IT management scenarios, has announced that it will be become a 100% open source platform. In the past, the basic Chef application was available in open source form, but the company also provided several enhancements and add-on tools with proprietary licenses. Rather than building proprietary tools around an open source core, Chef will now open source all of its software under an Apache 2.0 license.

According to Chef CEO Barry Crist, “Over the years we have experimented with and learned from a variety of different open source, community, and commercial models, in search of the right balance. We believe that this change, and the way we have made it, best aligns the objectives of our communities with our own business objectives. Now we can focus all of our investment and energy on building the best possible products in the best possible way for our community without having to choose between what is “proprietary” and what is “in the commons.”

This move toward free software does not mean that Chef is changing its focus on commercial enterprise customers. Instead, the change underscores the modern reality that the enterprise is more about services than it is about code. The company has also announced a commercial version called Chef Enterprise Automation Stack that will combine the open-source software with enterprise-grade warranties, indemnifications, and support.



Source link

Best Open Source Tools for Staying on Top of Projects | Reviews


By Jack M. Germain

Apr 3, 2019 12:21 PM PT

The type of organizing tools you use to plan your projects can make your work routine more efficient and improve your productivity. A project management application is an essential tool in some business environments.

This week’s Linux Picks and Pans takes a deep dive into some of the best project management software solutions available for the Linux desktop. Project management applications are sophisticated and feature-rich. They duplicate some of the tools and exceed the best productivity features found in our recent roundups highlighting
Time-Tracking,
Task Management/To-Do List and
Personal Information Manager applications.

A key requirement for use of any project management planning tool is familiarity with Gantt charts and other types of chart displays. The Gantt concept is to design a graphical rendition of a project task-by-task with dependencies drawn into the tree and project milestones defined.

The Gantt chart is a project management standard developed in 1917 by Henry Gantt. In its most basic form, the Gantt chart shows tasks on a series of horizontal timelines. The timeline measures progress for either short-term or long-term intervals.

Several of the project management applications in this roundup include Gantt-style displays. Here are some other factors to consider in selecting project management software for the Linux OS:

  • How the application handles resource management
  • The application’s ease of use
  • How the software handles third-party integrations
  • What allowances the software makes for agile workflow and effective time-tracking

The applications included in this roundup are not presented in any ranked order. Some may be available in distro repositories. Other packages may be available only with manual installation.

Some of the open source products in this project management roundup provide the core feature bundle along with essential services for free. You may have to pay fees for extensions, more comprehensive service, and support packages.

Planner: No Nonsense Project Structuring

Planner is a project management tool based on the work breakdown structure (WBS) concept. Planner’s goal is to be an easy-to-use, no-nonsense project management application. It stores project data in XML files and can be printed to PDF or exported to HTML for easy viewing from any Web browser.


Planner project management open source software

Planner’s binary releases are provided by the various Linux distributions.

– click image to enlarge –


The WBS approach provides a common framework for the natural development of the project’s overall planning and control. It is the basis for dividing work into definable increments. From that framework, you can create a workflow statement that includes technical, schedule, cost, and labor hour reporting.

This technique defines and organizes the total scope of a project. It lets you compartmentalize subordinate costs for tasks, materials, and such into their successively higher level “parent” tasks, materials, etc. For each element of the work breakdown structure, you generate a description of the task to be performed.

Planner is organized around the primary products of the project (or planned outcomes) instead of the work needed to produce the products (planned actions). It includes two major display components:

  • A Gantt chart lets you visualize the project in time segments. You can adjust the time needed for tasks or define dependencies between them with an intuitive drag-and-drop interface.
  • Task view shows the complete breakdown of your project along with the estimated cost and effort needed. This helps you spot assignment conflicts so you can rearrange schedules.

Other handy features help you track resource usage. You can print to a PDF file or export to an HTML. Either way, Planner gives you a useful summary in a single file that you can send via email to project participants who can view the report with a PDF viewer or a Web browser rather than an installed copy of the Planner application.

Binary releases are provided by the various Linux distributions. The last new release is version 0.14.6 in December 2011.

GanttProject: Packs Planning Power and Portability

GanttProject, compared to other project management tools for Linux, such as TaskJuggler and Planner, delivers fewer planning features. However, what it does have available may be all that you need if you are not in a large corporate setting.


GanttProject screenshot

GanttProject’s tool set offers a simplified approach to planning and controlling resources and schedules to meet a project’s objectives.

– click image to enlarge –


GanttProject’s toolset offers a simplified approach to planning and controlling resources and schedules to meet the objectives of a project. What you get is a variety of task building, project charting and milestone implementation tools. These come at you in a series of bars, graphs and charts.

A GPL open source application, it offers project scheduling as its main function. It is a file-based project management tool that comes with a good starting set of features, including resource management through resource load charts. It supports MS Project files and produces reports in PDF, spreadsheet and HTML formats for easy distribution to team members.

This basic feature set may not be the best solution for seasoned project managers looking for a management product that is not so limiting. Still, GanttProject is the go-to choice for small businesses that do not need high-end extra features found in other project management packages.

GanttProject’s user interface is structured clearly so it is easy to understand. Despite this ease of use, first-time project manager app users will need to familiarize themselves with how Gantt charts and similar tools function.

GanttProject lets you break down a project into a tree of tasks to assign available human resources to work on each task. This makes it easy to establish dependencies between tasks. This approach prevents you from starting one task until an essential prerequisite task is completed.

One of the nicest assets is GanttProject’s portability. You can export some or all of a project’s parameters in .xml format with ease. Also, you can import and export project information to and from MS Project files or text files.

Portability is simplified by the ability to export GanttProject charts as PNG images, or to generate PDF and HTML reports. Similarly, GanttProject can import projects from and export them to Microsoft Project formats. This type of functionality often causes data inaccuracies in some data-heavy programs.

The latest version is 2.8.10, a DEB package for Ubuntu, Mint and other Debian-based Linux distributions. Java Runtime is not included in the package but is listed in the dependencies.

TaskJuggler Makes Balancing Project Tasks More Flexible

TaskJuggler uses a different approach to project management than traditional Gantt charts use. Its goal is to plan and track project details with more flexibility. It covers the complete spectrum of project management tasks and focuses on project scoping, resource assignment, and cost and revenue planning, as well as risk and communication management.


TaskJuggler screenshot

TaskJuggler’s flexible scheduling approach allows you to plan your project as you go.

– click image to enlarge –


TaskJuggler optimizes scheduling by computing your project timeliness and resource assignments based on the project outline and the constraints you provide. It does this using a built-in resource balancer tool and consistency checker. This helps you eliminate irrelevant details and alerts you if the project gets out of hand.

This flexible approach allows you to plan your project as you go. It makes an ideal solution using new management strategies such as extreme programming and Agile project management.

Written in Ruby, TaskJuggler is easily installable and usable. It does not need a graphical user interface. A command shell, a plain text editor (no word processor!) and a Web browser are all you need for your work.

TaskJuggler’s features include components to manage tasks, resources and accounts of your project. It includes a powerful to-do list management tool and a detailed reference manual. It also has advanced scheduling tools that include automatic resource leveling and task conflict resolution.

The scheduling process lets you use an unlimited number of baseline scenarios of the same project for assessing what-if analysis, flexible working hours, and leave management. It also has support for shift working and multiple time zones.

Accounting issues are a key part of TaskJuggler. It tracks initial costs and finishing costs. It addresses resources through usage-based costs and resource base cost models. It supports profit/loss analysis.

TaskJuggler has scaling and enterprise features that let you combine related smaller projects with larger projects. It includes support for a central resource allocation database and manages roles and complex reporting lines.

TaskJuggler is a bit more modern than some of the other project managers in this roundup. Version 3.6.0 was released on in March 2016.

OpenProj: A Microsoft Project Replacement

If you are familiar with MS Project and want a clone-like alternative for Linux, check out OpenProj. Its user interface is very similar. OpenProj opens existing MS Project files and is interoperable with Gantt Charts and PERT charts.


OpenProj screenshot

OpenProj makes it easy to define the project’s objectives and specify the work details.


OpenProj comes in three options: Community (free), Cloud and Enterprise. The features are more significant for the latter two options. The community version offers an impressive feature set and in many cases works well for individual and SMB use cases. More professional productivity features are available for users who subscribe to the Cloud and Enterprise Editions.

OpenProj’s design is clean, uncluttered and well organized with an intuitive and easy-to-use graphical user interface. It comes with advanced feature tools. It covers essential business requirements: CRM, HRM and financial management, as well as workflows that can be set up for approval.

Like Planner, OpenProj supports the graphic view of work breakdown structure. Unlike other options in this roundup, OpenProj has no resource leveling function and can not export data to a spreadsheet.

However, OpenProj makes it easy to define the project’s objectives and specify the work details. It is easy to analyze the required activities and create a detailed plan that shows how and when the project will provide the deliverables defined in the project scope.

Other components include time tracking, cost reporting and budgeting. Team members can create the project wiki to help manage project documentation, references, guidelines and user manuals.

This application started out as a Java-based open source project management tool developed in 2007. Serena Software acquired the product in 2008 and stopped its development. Micro Focus in May 2016 acquired Serena. In 2012, the original creators of OpenProj forked the abandoned code and developed ProjectLibre (see below), which initially was released in 2012.

OpenProj Version 1.4 is the latest release, updated on March 10, 2019. It is no longer compatible with MS Project, however. As far as I can tell, it is available only as an RPM package, so it is not universally available for all species of Linux distros.

dotProject: Browser-Based MS Project Alternative

dotProject is a project management solution for small and mid-sized businesses that do not have to focus on extensive financial management issues as a part of tracking project processes. Its biggest advantage is an easy-to-use interface. Other pluses include the ability of multiple users to work collaboratively, which makes issue-tracking easier.


dotProject screenshot

One of dotProject’s biggest advantages is its easy-to-use interface. (Image Credit: LinuxHelp)

– click image to enlarge –


dotProject is a Web-based framework that includes modules for companies, projects, tasks (with Gantt charts), forums, files, calendar, contacts, tickets/helpdesk, multilanguage support, user/module permissions and themes.

It was developed originally as an open source replacement for Microsoft Project. It has a similar user interface plus additional project management functionality. Critics and reviewers regard dotProject as one of the best-maintained open source project management applications available. It has an intuitive browser-based interface and offers a full collection of advanced project management tools for multiple users, as well as time-tracking tools.

Task Management features include Task Description, Task Assigning, Project Scheduling and Task Duration. The application has nodal user permissions, discussion dashboards, Gantt charts, contact lists, file checkout, reporting, and user-based or list-based task features.

dotProject suffers from several potential drawbacks. One is the need for advanced expertise for installation. Another makes it less practical for small businesses and home users: It must run on a Web server and is not a standalone application.

The latest stable edition is version 2.1.8, released in July 2013.

ProjectLibre: Mapping the Critical Path

ProjectLibre is another open source alternative to Microsoft Project. ProjectLibre is compatible with Microsoft Project 2003, 2007 and 2010 files.


ProjectLibre screenshot

ProjectLibre uses a similar ribbon interface to MS Project, which helps new users easily transition to this alternative.


This is a free Web-based open source application. ProjectLibre is an ideal project management application for small to mid-sized businesses that have single project requirements.

An enterprise cloud version coming soon will be offered as a simple monthly subscription. The cloud version is best for teams and for managing multiple projects.

ProjectLibre uses a ribbon interface that allows users familiar with MS Project to transition easily to this alternative. For example, creating a project plan involves the same approach: List and indent a task list or apply a work breakdown structure.

The application supports setting durations, links, predecessors and resources in a similar manner to MS Project. Also supported are creating budgets and managing expenses.

ProjectLibre’s core functionality includes Gantt charts, network diagrams, work breakdown structure charts, resource breakdown structure charts, earned value costing and resource histograms. These are comparable to features in Microsoft Project.

ProjectLibre lets you set dependencies, create a project baseline, and use multiple calendars to define working and nonworking days for different resources. It also has reporting functionality, such as for displaying project details, resource information and task information.

Released under the Common Public Attribution License, ProjectLibre qualifies as free software.

The latest version, 1.8.0, was modified in May 2018.

Bottom Line

Project management applications for Linux offer an overlapping range of features and user interfaces. I deliberately avoided ranking these Linux products. I also suspended the usual star rating for each one in this roundup.

Project Management software for Linux, much like Time-tracking, Task Management and To-Do List software for Linux, is increasingly overshadowed by cloud services. That is one reason open source applications available for the Linux platform lack many new non-cloud contenders.

Most of the open source products in this roundup are available for Windows and Mac computers as well. Even the Web-based open source platforms for product management applications are available for free. With the exception of the Web-based products, they share one characteristic: None of them has a very recent new release.

Want to Suggest a Review?

Is there a Linux software application or distro you’d like to suggest for review? Something you love or would like to get to know?

Please
email your ideas to me, and I’ll consider them for a future Linux Picks and Pans column.

And use the Reader Comments feature below to provide your input!


Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open source technologies. He has written numerous reviews of Linux distros and other open source software.
Email Jack.





Source link

Is Open Source Becoming More Insecure? » Linux Magazine


According to a new survey by Sonatype, IT professionals are reporting an increase in security breaches in Open Source software.

According to the survey, breaches tied to open source software components increased 71% over a five-year period.

It could be interpreted in many ways. Is Open Source more insecure than proprietary software? Are more hackers targeting open source? It’s none. Open Source, by design, is more secure than proprietary software.

The blame of these breaches lies in companies like Equifax that fail to keep their software updates. Open Source software is known for patching any security hold and release fixes immediately, but ‘consumers’ of open source lack best practices to keep their stack update and then try to put the blame on Open Source.

The fact is, open source, like any other software, is prone to bugs. Bugs are part of the software development process. However, the open source development model makes it extremely easy for users to patch any such holes without having to rely on the vendor.

Another interpretation is that there is an increase in breach not because open source is becoming more insecure, but because more and more companies are now using open source without actually adopting best practices that they should.

The survey quoted Jonas Manalansan, a cybersecurity engineer of Northrup Grumman, “Successful DevSecOps projects are able to bring security into the DevOps processes without slowing them down. All in all, DevSecOps delivers reduced cost, reduced development churn, and reduced application attack surface, which delivers higher ‘security and higher confidence to the organization’.”

So, in a nutshell, there is no increase in breaches related to open source, there is an increase in the adoption of open source and these users must embrace best practices.



Source link