SYS-CON MEDIA Authors: Yeshim Deniz, Elizabeth White, Liz McMillan, William Schmarzo, Dana Gardner

Related Topics: Linux Containers, Java IoT, Industrial IoT, Open Source Cloud, Eclipse, Agile Computing

Linux Containers: Article

What Developers Need to Know About Open Source Vulnerability Management

As a resourceful developer, you’re not writing code from scratch anymore

As a resourceful developer, you're not writing code from scratch anymore. You probably have access to a vast amount of code you wrote at previous jobs, and a lot of your development probably relies at least in some part around third party or open source software. Every savvy developer knows their way around Sourceforge, Codeplex, or GitHub, and with access to readily available code that frees you up to tackle real challenges, there really is no downside to open source code.

Sure, you're probably aware that many open source projects have license obligations tied to them. And licenses are not generally written for developer consumption, so you may be part of a growing contingent of developers that doesn't care about them, but it's likely that your manager cares.

With the increasing complexity of software, organizations are more cognizant than ever about the potential pitfalls of including open source code in their products. Below are some quick tips to continue leveraging open source code, while keeping your manager and legal department happy.

1. Know What to Look For
Security and licensing (i.e., the specific permission of the original author of the open source code) are the two potential vulnerabilities that concern organizations the most. Depending on the type of business, export controls may also be on the radar. But for now we'll focus on the biggest two:

Security Vulnerabilities
Security vulnerabilities exist in both open source and proprietary software. And the exposure of the Heartbleed bug earlier this year illustrated how much heartache these issues can inflict. Here are a few things to keep in mind:

  1. When choosing an open source project, do some research to try and discern if there have been reports of any vulnerability in the code (the National Vulnerability Database (NVD) is a great resource for this).

  2. Always use the most recent version of a project (and preferably one that is actively maintained).

  3. Download projects from a reputable source such as the project's website, or a trustworthy code repository.

License Vulnerabilities
An open source license is the way the code author grants usage permission to the world at large, and dictates the terms under which the license can be used. Open source licenses generally fit into two categories: permissive and restrictive licenses. Permissive licenses such as MIT, BSD, or Apache generally have fewer restrictions on the redistribution of software. Restrictive or copyleft licenses, such as the GPL, place more restrictions on redistribution (e.g. asking you to contribute your derivative work to the open source community) and may require your work to be licensed under the GPL. You can speak to your organization's legal department for a crash course on different license types and what licenses are permitted in your organization, or take a look at various summaries available online.

Before incorporating an open source component in your project it's a good idea to take a look at what (if any) license terms are attached to it. This information can typically be found in a file called COPYING, license.txt or even in a readme file.

Here are three possible licensing scenarios you could encounter when using open source code:

  1. There is no license information available - you should probably avoid using these types of projects as they can cause all sorts of legal headaches for your organization.

  2. There is copyright information, but no license file - in this case, you will need to track down the creator(s) of the project and obtain their consent to use the code. This defeats the time-saving argument for using open source in the first place.

  3. The project has an explicit license - so the project is fair game right? Not so fast. You need to ensure that the license is acceptable for use in your organization. This brings me to the next point...

2. Know Your Boundaries
As open source has moved into the mainstream, many organizations have established formal policies and approval processes around the use of open source code. An open source policy establishes:

  1. Who the stakeholders are.

  2. What licenses are acceptable in an organization.

  3. Which vendors are approved.

  4. Whether or not you need to pre-approve an open source package before you use it.

  5. The steps to take once a policy violation has been detected.

If your organization does not have a formal policy in place, talk to your managers or legal department to see if any license types are off limits, or to find out if there is an existing list of pre-approved packages.

3. Know How to React
Equipped with some research on open source licensing and security vulnerabilities it's now time to decide what to do with this information. Here are a few options:

Do nothing. Use whatever open source packages you want and hope for the best. Quality assurance and legal teams will dislike you. You'll probably create more work for yourself by having to fix issues uncovered during testing, and repeat offenders should probably make sure their resumes and GitHub profiles are up to date, just in case.

Manually track open source packages. You'll be creating a little more work for yourself, but your managers will thank you. Check to make sure that the packages you are using have a license and that the license complies with your organization's policy. Consult the NVD to make sure the package doesn't contain security vulnerabilities. Make sure you commit this information along with your code.

Automate the tracking process. There are various tools available to automate open source package pre-approval and there are even background developer assistant tools that can automatically report on licensing and security issues as code is being developed. These tools can be digitally linked to the organization's policy as well as the NVD to accurately detect license and security vulnerabilities in real time.

By taking a proactive approach and getting involved in open source vulnerability management, you'll save yourself and your organization as a whole from running into roadblocks that stall the development process. Find out if your organization has a license policy and implement some vulnerability management tactics and start developing code worry free.

More Stories By Lacey Thoms

Lacey Thoms is a marketing specialist and blogger at Protecode, a provider of open source license management solutions. During her time at Protecode, Lacey has written many articles on open source software management. She has a background in marketing communications, digital advertising, and web design and development. Lacey has a Bachelor’s Degree in Mass Communications from Carleton University.

Latest Stories
In today's always-on world, customer expectations have changed. Competitive differentiation is delivered through rapid software innovations, the ability to respond to issues quickly and by releasing high-quality code with minimal interruptions. DevOps isn't some far off goal; it's methodologies and practices are a response to this demand. The demand to go faster. The demand for more uptime. The demand to innovate. In this keynote, we will cover the Nutanix Developer Stack. Built from the foundat...
Big Switch's mission is to disrupt the status quo of networking with order of magnitude improvements in network e ciency, intelligence and agility by delivering Next-Generation Data Center Networking. We enable data center transformation and accelerate business velocity by delivering a responsive, automated, and programmable software-dened networking (SDN) fabric-based networking solution. Traditionally, the network has been viewed as the barrier to data center transformation as legacy networkin...
For far too long technology teams have lived in siloes. Not only physical siloes, but cultural siloes pushed by competing objectives. This includes informational siloes where business users require one set of data and tech teams require different data. DevOps intends to bridge these gaps to make tech driven operations more aligned and efficient.
Lori MacVittie is a subject matter expert on emerging technology responsible for outbound evangelism across F5's entire product suite. MacVittie has extensive development and technical architecture experience in both high-tech and enterprise organizations, in addition to network and systems administration expertise. Prior to joining F5, MacVittie was an award-winning technology editor at Network Computing Magazine where she evaluated and tested application-focused technologies including app secu...
Digital Transformation (DX) is a major focus with the introduction of DXWorldEXPO within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throughout enterprises of all sizes. We are offering early bird savings...
In his keynote at 19th Cloud Expo, Sheng Liang, co-founder and CEO of Rancher Labs, discussed the technological advances and new business opportunities created by the rapid adoption of containers. With the success of Amazon Web Services (AWS) and various open source technologies used to build private clouds, cloud computing has become an essential component of IT strategy. However, users continue to face challenges in implementing clouds, as older technologies evolve and newer ones like Docker c...
Daniel Jones is CTO of EngineerBetter, helping enterprises deliver value faster. Previously he was an IT consultant, indie video games developer, head of web development in the finance sector, and an award-winning martial artist. Continuous Delivery makes it possible to exploit findings of cognitive psychology and neuroscience to increase the productivity and happiness of our teams.
Only Adobe gives everyone - from emerging artists to global brands - everything they need to design and deliver exceptional digital experiences. Adobe Systems Incorporated develops, markets, and supports computer software products and technologies. The Company's products allow users to express and use information across all print and electronic media. The Company's Digital Media segment provides tools and solutions that enable individuals, small and medium businesses and enterprises to cre...
Hackers took three days to identify and exploit a known vulnerability in Equifax’s web applications. I will share new data that reveals why three days (at most) is the new normal for DevSecOps teams to move new business /security requirements from design into production. This session aims to enlighten DevOps teams, security and development professionals by sharing results from the 4th annual State of the Software Supply Chain Report -- a blend of public and proprietary data with expert researc...
CloudEXPO | DevOpsSUMMIT | DXWorldEXPO Silicon Valley 2019 will cover all of these tools, with the most comprehensive program and with 222 rockstar speakers throughout our industry presenting 22 Keynotes and General Sessions, 250 Breakout Sessions along 10 Tracks, as well as our signature Power Panels. Our Expo Floor will bring together the leading global 200 companies throughout the world of Cloud Computing, DevOps, IoT, Smart Cities, FinTech, Digital Transformation, and all they entail.
Eric Taylor, a former hacker, reveals what he's learned about cybersecurity. Taylor's life as a hacker began when he was just 12 years old and playing video games at home. Russian hackers are notorious for their hacking skills, but one American says he hacked a Russian cyber gang at just 15 years old. The government eventually caught up with Taylor and he pleaded guilty to posting the personal information on the internet, among other charges. Eric Taylor, who went by the nickname Cosmo...
ClaySys Technologies is one of the leading application platform products in the ‘No-code' or ‘Metadata Driven' software business application development space. The company was founded to create a modern technology platform that addressed the core pain points related to the traditional software application development architecture. The founding team of ClaySys Technologies come from a legacy of creating and developing line of business software applications for large enterprise clients around the ...
To Really Work for Enterprises, MultiCloud Adoption Requires Far Better and Inclusive Cloud Monitoring and Cost Management … But How? Overwhelmingly, even as enterprises have adopted cloud computing and are expanding to multi-cloud computing, IT leaders remain concerned about how to monitor, manage and control costs across hybrid and multi-cloud deployments. It’s clear that traditional IT monitoring and management approaches, designed after all for on-premises data centers, are falling short in ...
Most modern computer languages embed a lot of metadata in their application. We show how this goldmine of data from a runtime environment like production or staging can be used to increase profits. Adi conceptualized the Crosscode platform after spending over 25 years working for large enterprise companies like HP, Cisco, IBM, UHG and personally experiencing the challenges that prevent companies from quickly making changes to their technology, due to the complexity of their enterprise. An accomp...
DevOpsSUMMIT at CloudEXPO, to be held June 25-26, 2019 at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real results. Am...