SmartBear announced its acquisition of QMetry, provider of an AI-enabled digital quality platform designed to scale software quality.
Using open source software has many benefits for organizations. It fosters transparency and innovation, provides flexibility and customization, cuts cost on development and enables collaboration among other developers.
However, organizations could open themselves up to risks if the open source software isn't developed securely. According to a recent report, nearly three-quarters of all commercial codebases contain open source software with high-risk vulnerabilities. These vulnerabilities could lead to holes in the software supply chain for bad actors to exploit, risking malicious attacks and data breaches within organizations.
Vulnerabilities have become pervasive across the software supply chain, as have the malicious actors seeking to exploit them, prompting organizations to bolster security throughout the entire software development life cycle (SDLC) to protect their assets. This emphasis on security is particularly critical for those organizations involved in producing and distributing software that utilizes open source components.
Securely developing open source software is crucial for fostering community trust and ensuring safe, global accessibility while also promoting rapid innovation and maintaining legal compliance. Properly executed, it helps organizations see real measurable change in the health of software supply chains.
A Call for Open Source Security Standardization
A high-profile example of how a vulnerability in open source software can result in catastrophic impact is the Log4J incident. Dubbed "Log4Shell," one of the most widespread security vulnerabilities in recent years, Log4J's popular open source logging tool left millions of organizations susceptible to hackers infiltrating and taking total control of their systems. Organizations that were spared direct attacks scrambled to remediate their systems in late 2021, during a typically quiet period.
The vulnerability was even exploited by state-sponsored hackers to target US critical infrastructure and it was used by top ransomware groups LockBit and ALPHV/BlackCat in attacks. The effects were so devastating that years later, companies are dealing with the fallout, all because one open source link in the software supply chain was not secure.
However, identifying the risks within a software supply chain can be challenging. The best way to protect assets and ensure the integrity of the applications and development pipelines is to develop software with security in mind from the start. Failing to do so could have devastating effects.
There is a strong need for standardized security guidelines to enable open source software developers to prioritize security from the outset. Although the advantages of doing so are clear, building universally agreed-upon frameworks and implementing them at scale is a massive undertaking — one that has yet to be fulfilled.
In lieu of standardization, developers can adopt best practices for better software security. From risk assessment to secure coding practices, these principles can foster a proactive approach to mitigating vulnerabilities and enhancing overall software resilience, and act as a roadmap for developers to embed security into every stage of the software development life cycle.
Top 10 Secure Software Development Guiding Principles
Adopting robust guiding principles for secure software development can enhance both the security and transparency of the software supply chain. The following guidelines developed by the Open Source Security Foundation (OpenSSF) End Users Working Group, encourage software organizations to take responsibility for their consumption of open source software by focusing on activities with the greatest impact and providing a roadmap to implement supply chain security best practices.
1. Employ development practices that are in conformance with modern, industry-accepted secure development methods.
2. Learn and apply secure software design principles (such as least privilege).
3.Learn the most common kinds of vulnerabilities and take steps to make them unlikely or limit their impact.
4. Check for and address known and potential critical vulnerabilities prior to releasing software, then monitor for vulnerabilities subsequently throughout the supported life of the product.
5. Harden and secure your software development infrastructure against compromise or infiltration against the same principles, practices, and expectations set for the software developed on and built from them.
6. Prioritize the sourcing of software from suppliers and developers who also pledge to develop in conformance with the secure software development guiding principles, and from projects that publicly report security health metrics and adopt controls to prevent tampering of software packages, and that actively address known/discovered malicious software.
7. Provide software supply chain understandability to consumers of our software consistent with evolving industry standards, practices, and tooling.
8. Manage responsible vulnerability disclosure programs that are inclusive of upstream dependencies and have publicly documented vulnerability reporting and remediation policies.
9. Publish security advisories consistent with evolving industry best practices.
10. Actively collaborate with and participate in industry and regulatory initiatives related to securing the software supply chain, and evangelize adoption of the secure software development guiding principles among your industry peers.
As the benefits of using open source software are clear, developers need to find ways to create and use it safely to protect the whole software supply chain ecosystem. Developing with security in mind from inception and following the top 10 secure software development guiding principles will help increase transparency and security. Following these steps will put you on the path to ensuring you won't be impacted by the next Log4J — or worse — in the future.
Industry News
Red Hat signed a strategic collaboration agreement (SCA) with Amazon Web Services (AWS) to scale availability of Red Hat open source solutions in AWS Marketplace, building upon the two companies’ long-standing relationship.
CloudZero announced the launch of CloudZero Intelligence — an AI system powering CloudZero Advisor, a free, publicly available tool that uses conversational AI to help businesses accurately predict and optimize the cost of cloud infrastructure.
Opsera has been accepted into the Amazon Web Services (AWS) Independent Software Vendor (ISV) Accelerate Program, a co-sell program for AWS Partners that provides software solutions that run on or integrate with AWS.
Spectro Cloud is a launch partner for the new Amazon EKS Hybrid Nodes feature debuting at AWS re:Invent 2024.
Couchbase unveiled Capella AI Services to help enterprises address the growing data challenges of AI development and deployment and streamline how they build secure agentic AI applications at scale.
Veracode announced innovations to help developers build secure-by-design software, and security teams reduce risk across their code-to-cloud ecosystem.
Traefik Labs unveiled the Traefik AI Gateway, a centralized cloud-native egress gateway for managing and securing internal applications with external AI services like Large Language Models (LLMs).
Generally available to all customers today, Sumo Logic Mo Copilot, an AI Copilot for DevSecOps, will empower the entire team and drastically reduce response times for critical applications.
iTMethods announced a strategic partnership with CircleCI, a continuous integration and delivery (CI/CD) platform. Together, they will deliver a seamless, end-to-end solution for optimizing software development and delivery processes.
Progress announced the Q4 2024 release of its award-winning Progress® Telerik® and Progress® Kendo UI® component libraries.
Check Point® Software Technologies Ltd. has been recognized as a Leader and Fast Mover in the latest GigaOm Radar Report for Cloud-Native Application Protection Platforms (CNAPPs).
Spectro Cloud, provider of the award-winning Palette Edge™ Kubernetes management platform, announced a new integrated edge in a box solution featuring the Hewlett Packard Enterprise (HPE) ProLiant DL145 Gen11 server to help organizations deploy, secure, and manage demanding applications for diverse edge locations.
Red Hat announced the availability of Red Hat JBoss Enterprise Application Platform (JBoss EAP) 8 on Microsoft Azure.
Launchable by CloudBees is now available on AWS Marketplace, a digital catalog with thousands of software listings from independent software vendors that make it easy to find, test, buy, and deploy software that runs on Amazon Web Services (AWS).