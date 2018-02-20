Summary

Open source is amazing, and is here to stay, but it’s also a complicated beast when it comes to ownership, trust, and security. Unlike purchased software, once you download an open source library you are on your own. There is no vendor to notify you about issues, no commitments that vulnerabilities will be found or fixed, and nobody to sue to if you got hurt.

If you’re using open source (and you most certainly are), you need to take on the responsibility of keeping it secure. You must set up the tools and processes that will help you stay safe, and raise awareness of this risk throughout your organization. The 2017 Equifax breach serves as a very painful lesson of what could happen if you don’t.

While open source security is a broad topic, the most critical part of it is dealing with known vulnerabilities in open source libraries. This book suggested a framework for dealing with this risk, split into four steps:

Find the vulnerabilities in your dependencies

Fix the found issues quickly and efficiently

Prevent additions of new vulnerable libraries during dev

Respond to newly disclosed vulnerabilities in libraries you already use

These logical steps should hold true regardless of the tools you choose for addressing this problem, but I definitely suggest you leverage a Software Composition Analysis (SCA) solution to help you get them done. Each chapter points out various tool attributes to consider, tips on how to integrate them, and the trade-off you’ll need to make.

As mentioned in the introduction, this book didn’t cover the entirety of open source risk. I didn’t discuss open source tools and frameworks, barely mentioned legal risks, and definitely didn’t dive into potentially malicious libraries. The best practices in these areas are still being shaped, and I recommend participating in events like O’Reilly Security and DevSecCon to be a part of this evolution.

As open source continues to mature, I’m certain the practices and technologies for dealing with its risks will improve as well. Open source is created by the community, and that same community should participate in keeping it secure. In the meantime, make sure you are a responsible member of both this ecosystem and your organization, accept ownership for controlling the risk from the libraries you use, and stay secure!