Software developers always use open-source components to expedite the software
development process. Though we have highest security applied for the proprietary code, these
open-source dependencies can expose us to a broad range of security and legal risks. We often
see in the industry that security of Open-source libraries are just application security and
product teams responsibilities.
We often rely on application security team to perform SCA (Software composition analysis) to
identify the vulnerabilities and communicate with product and engineering teams to work on
remediation. How ever we must adopt a holistic approach of dealing with open-source software.
We must have a policy of usage and policy of remediation at the organization level. We should
have standards to specify how to set up and maintain repositories and libraries of open-source
software components that developers may utilize as part of a robust continuous
integration/continuous delivery (CI/CD) pipeline. We should have security awareness training
incorporated to prioritize the use of programming languages and frameworks that have built-in
guardrails to proactively mitigate common types of vulnerabilities. We should have a strong
change management discipline to clean-up the archived and decommissioned code
repositories.
CISA has an increase of adding vulnerabilities related to opensource libraries to the “Known
Exploited Vulnerabilities Catalog”. NIST has published the guidelines around open-source
security controls in supply chain attacks.
Hence, adopting the holistic approach of creating policy/standards and educating the
developers to use the trusted software components and having a robust application security
program which is baked into the Devops to identify and report the vulnerabilities. Having a
strong remediation policy to upgrade the outdated and vulnerable software packages will help to
reduce the attack surface and supply chain attacks.