SYS-CON MEDIA Authors: Zakia Bouachraoui, Liz McMillan, Carmen Gonzalez, Roger Strukhoff, David Linthicum

Related Topics: Linux Containers, Java IoT, Industrial IoT, Open Source Cloud, Eclipse, Agile Computing

Linux Containers: Article

What Developers Need to Know About Open Source Vulnerability Management

As a resourceful developer, you’re not writing code from scratch anymore

As a resourceful developer, you're not writing code from scratch anymore. You probably have access to a vast amount of code you wrote at previous jobs, and a lot of your development probably relies at least in some part around third party or open source software. Every savvy developer knows their way around Sourceforge, Codeplex, or GitHub, and with access to readily available code that frees you up to tackle real challenges, there really is no downside to open source code.

Sure, you're probably aware that many open source projects have license obligations tied to them. And licenses are not generally written for developer consumption, so you may be part of a growing contingent of developers that doesn't care about them, but it's likely that your manager cares.

With the increasing complexity of software, organizations are more cognizant than ever about the potential pitfalls of including open source code in their products. Below are some quick tips to continue leveraging open source code, while keeping your manager and legal department happy.

1. Know What to Look For
Security and licensing (i.e., the specific permission of the original author of the open source code) are the two potential vulnerabilities that concern organizations the most. Depending on the type of business, export controls may also be on the radar. But for now we'll focus on the biggest two:

Security Vulnerabilities
Security vulnerabilities exist in both open source and proprietary software. And the exposure of the Heartbleed bug earlier this year illustrated how much heartache these issues can inflict. Here are a few things to keep in mind:

  1. When choosing an open source project, do some research to try and discern if there have been reports of any vulnerability in the code (the National Vulnerability Database (NVD) is a great resource for this).

  2. Always use the most recent version of a project (and preferably one that is actively maintained).

  3. Download projects from a reputable source such as the project's website, or a trustworthy code repository.

License Vulnerabilities
An open source license is the way the code author grants usage permission to the world at large, and dictates the terms under which the license can be used. Open source licenses generally fit into two categories: permissive and restrictive licenses. Permissive licenses such as MIT, BSD, or Apache generally have fewer restrictions on the redistribution of software. Restrictive or copyleft licenses, such as the GPL, place more restrictions on redistribution (e.g. asking you to contribute your derivative work to the open source community) and may require your work to be licensed under the GPL. You can speak to your organization's legal department for a crash course on different license types and what licenses are permitted in your organization, or take a look at various summaries available online.

Before incorporating an open source component in your project it's a good idea to take a look at what (if any) license terms are attached to it. This information can typically be found in a file called COPYING, license.txt or even in a readme file.

Here are three possible licensing scenarios you could encounter when using open source code:

  1. There is no license information available - you should probably avoid using these types of projects as they can cause all sorts of legal headaches for your organization.

  2. There is copyright information, but no license file - in this case, you will need to track down the creator(s) of the project and obtain their consent to use the code. This defeats the time-saving argument for using open source in the first place.

  3. The project has an explicit license - so the project is fair game right? Not so fast. You need to ensure that the license is acceptable for use in your organization. This brings me to the next point...

2. Know Your Boundaries
As open source has moved into the mainstream, many organizations have established formal policies and approval processes around the use of open source code. An open source policy establishes:

  1. Who the stakeholders are.

  2. What licenses are acceptable in an organization.

  3. Which vendors are approved.

  4. Whether or not you need to pre-approve an open source package before you use it.

  5. The steps to take once a policy violation has been detected.

If your organization does not have a formal policy in place, talk to your managers or legal department to see if any license types are off limits, or to find out if there is an existing list of pre-approved packages.

3. Know How to React
Equipped with some research on open source licensing and security vulnerabilities it's now time to decide what to do with this information. Here are a few options:

Do nothing. Use whatever open source packages you want and hope for the best. Quality assurance and legal teams will dislike you. You'll probably create more work for yourself by having to fix issues uncovered during testing, and repeat offenders should probably make sure their resumes and GitHub profiles are up to date, just in case.

Manually track open source packages. You'll be creating a little more work for yourself, but your managers will thank you. Check to make sure that the packages you are using have a license and that the license complies with your organization's policy. Consult the NVD to make sure the package doesn't contain security vulnerabilities. Make sure you commit this information along with your code.

Automate the tracking process. There are various tools available to automate open source package pre-approval and there are even background developer assistant tools that can automatically report on licensing and security issues as code is being developed. These tools can be digitally linked to the organization's policy as well as the NVD to accurately detect license and security vulnerabilities in real time.

By taking a proactive approach and getting involved in open source vulnerability management, you'll save yourself and your organization as a whole from running into roadblocks that stall the development process. Find out if your organization has a license policy and implement some vulnerability management tactics and start developing code worry free.

More Stories By Lacey Thoms

Lacey Thoms is a marketing specialist and blogger at Protecode, a provider of open source license management solutions. During her time at Protecode, Lacey has written many articles on open source software management. She has a background in marketing communications, digital advertising, and web design and development. Lacey has a Bachelor’s Degree in Mass Communications from Carleton University.

Latest Stories
Moroccanoil®, the global leader in oil-infused beauty, is thrilled to announce the NEW Moroccanoil Color Depositing Masks, a collection of dual-benefit hair masks that deposit pure pigments while providing the treatment benefits of a deep conditioning mask. The collection consists of seven curated shades for commitment-free, beautifully-colored hair that looks and feels healthy.
The textured-hair category is inarguably the hottest in the haircare space today. This has been driven by the proliferation of founder brands started by curly and coily consumers and savvy consumers who increasingly want products specifically for their texture type. This trend is underscored by the latest insights from NaturallyCurly's 2018 TextureTrends report, released today. According to the 2018 TextureTrends Report, more than 80 percent of women with curly and coily hair say they purcha...
The textured-hair category is inarguably the hottest in the haircare space today. This has been driven by the proliferation of founder brands started by curly and coily consumers and savvy consumers who increasingly want products specifically for their texture type. This trend is underscored by the latest insights from NaturallyCurly's 2018 TextureTrends report, released today. According to the 2018 TextureTrends Report, more than 80 percent of women with curly and coily hair say they purcha...
We all love the many benefits of natural plant oils, used as a deap treatment before shampooing, at home or at the beach, but is there an all-in-one solution for everyday intensive nutrition and modern styling?I am passionate about the benefits of natural extracts with tried-and-tested results, which I have used to develop my own brand (lemon for its acid ph, wheat germ for its fortifying action…). I wanted a product which combined caring and styling effects, and which could be used after shampo...
Steaz, the nation's top-selling organic and fair trade green-tea-based beverage company, announces its 2017 "Mind. Body. Soul." tour, which will bring authentic experiences inspired by the brand's signature Mind. Body. Soul. tagline to life across the country. The tour will inform, educate, inspire and entertain through events, digital activations and partner-curated experiences developed to support the three pillars of complete health and wellness.
The precious oil is extracted from the seeds of prickly pear cactus plant. After taking out the seeds from the fruits, they are adequately dried and then cold pressed to obtain the oil. Indeed, the prickly seed oil is quite expensive. Well, that is understandable when you consider the fact that the seeds are really tiny and each seed contain only about 5% of oil in it at most, plus the seeds are usually handpicked from the fruits. This means it will take tons of these seeds to produce just one b...
The platform combines the strengths of Singtel's extensive, intelligent network capabilities with Microsoft's cloud expertise to create a unique solution that sets new standards for IoT applications," said Mr Diomedes Kastanis, Head of IoT at Singtel. "Our solution provides speed, transparency and flexibility, paving the way for a more pervasive use of IoT to accelerate enterprises' digitalisation efforts. AI-powered intelligent connectivity over Microsoft Azure will be the fastest connected pat...
There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
ScaleMP is presenting at CloudEXPO 2019, held June 24-26 in Santa Clara, and we’d love to see you there. At the conference, we’ll demonstrate how ScaleMP is solving one of the most vexing challenges for cloud — memory cost and limit of scale — and how our innovative vSMP MemoryONE solution provides affordable larger server memory for the private and public cloud. Please visit us at Booth No. 519 to connect with our experts and learn more about vSMP MemoryONE and how it is already serving some of...
Darktrace is the world's leading AI company for cyber security. Created by mathematicians from the University of Cambridge, Darktrace's Enterprise Immune System is the first non-consumer application of machine learning to work at scale, across all network types, from physical, virtualized, and cloud, through to IoT and industrial control systems. Installed as a self-configuring cyber defense platform, Darktrace continuously learns what is ‘normal' for all devices and users, updating its understa...
Codete accelerates their clients growth through technological expertise and experience. Codite team works with organizations to meet the challenges that digitalization presents. Their clients include digital start-ups as well as established enterprises in the IT industry. To stay competitive in a highly innovative IT industry, strong R&D departments and bold spin-off initiatives is a must. Codete Data Science and Software Architects teams help corporate clients to stay up to date with the mod...
As you know, enterprise IT conversation over the past year have often centered upon the open-source Kubernetes container orchestration system. In fact, Kubernetes has emerged as the key technology -- and even primary platform -- of cloud migrations for a wide variety of organizations. Kubernetes is critical to forward-looking enterprises that continue to push their IT infrastructures toward maximum functionality, scalability, and flexibility. As they do so, IT professionals are also embr...
Platform9, the leader in SaaS-managed hybrid cloud, has announced it will present five sessions at four upcoming industry conferences in June: BCS in London, DevOpsCon in Berlin, HPE Discover and Cloud Computing Expo 2019.
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
When you're operating multiple services in production, building out forensics tools such as monitoring and observability becomes essential. Unfortunately, it is a real challenge balancing priorities between building new features and tools to help pinpoint root causes. Linkerd provides many of the tools you need to tame the chaos of operating microservices in a cloud native world. Because Linkerd is a transparent proxy that runs alongside your application, there are no code changes required. I...