Friday, 15 January 2021

Maintain source code repositories, open source libraries, and open source communities

 Software developers use open source development platforms, such as Microsoft’s GitHub to host code and manage software projects. These development platforms maintain source code repositories, open source libraries, and open source communities.  Open source projects benefit from the support of foundations such as The Linux Foundation, Eclipse Foundation, OpenInfra Foundation, Apache Software Foundation, and GNU Project.  OSS is available for the Linux kernel, Openstack, Docker, Kubernetes, GNU Compiler Collection (GCC), and others.   

Like so many things in life, OSS’s advantages can be exploited as disadvantages, and its strengths can be exploited as weaknesses. The 2020 Open Source Security and Risk Analysis Report from Synopsys cited 99 percent of computer engineering career contained open source components and 49 percent contained high-risk vulnerabilities.  While the community approach benefits OSS, it also provides an attack surface. OSS has many attack vectors, including intentional backdoors made by malicious developers, propagation of vulnerabilities through reuse, exploitation of publicly disclosed vulnerabilities, and human error. 

Vulnerabilities often propagate as developers reuse OSS, enabling attacks on software that reuse the vulnerable software component.  As open source vulnerabilities can propagate, it becomes more difficult to ensure patches are implemented.  “Using Components with Known Vulnerabilities” made the Open Web Application Security Project (OWASP) Top 10 Vulnerabilities for 2020.  In addition, vulnerabilities are publicly disclosed in knowledge bases, such as the National Vulnerability Database (NVD), intended for developers and security researchers to disclose vulnerabilities, but can also be used as a resource to develop OSS exploits. 


No comments:

Post a Comment

Why it's the ideal opportunity for telecoms to zero in on clients

 Brought together computerized stages can help telecoms players incorporate siloed frameworks, robotize basic administrations and improve cl...