Security Strategy, Plan, Budget

Three ways security teams can foster open-source innovation  

Today’s columnist, Ankur Shah of Palo Alto Networks, writes that SBOMs are an important component in fostering the innovation in open-source software promoted by the Biden administration and the security industry. (Photo by Alex Wong/Newsmakers)

The majority of applications in recent years have moved to the cloud, mostly from necessity — the necessity to ensure remote employees can access required tools and companies can stay competitive and agile. With analyst firm Gartner predicting that more than 95% of new cloud workloads will get deployed on cloud-native platforms by 2025 — up from 30% in 2021 — it’s clear that cloud apps and platforms are here to stay.

A few decades earlier, when I was coding, the codebases I worked on were made of code predominantly developed by myself and my team. But there’s been a shift where the average application now consists of 75% open-source components. The access to open-source software (OSS) has been very important to the agile, cloud-native way of development. It lets developers build with greater speed and modularity — and without needing to reinvent the wheel each time they code. Unfortunately, major vulnerabilities, such as Log4j and Equifax, have taught us that open-source software often contains known vulnerabilities.

Make open-source security a priority

Attackers are increasingly looking at code as a way to penetrate digital environments. Targeting open-source software appeals to bad actors because corrupting a vulnerability can unleash widespread repercussions. A single OSS attack can impact millions of users across hundreds of companies. Log4j, for example, had been downloaded across the globe millions of times prior to the vulnerability surfacing. It inevitably became every security team’s nightmare.

The Biden administration has since acted to protect against open-source software vulnerabilities by issuing guidelines that software producers working with federal agencies must provide a software bill of materials (SBOM) to ensure the software has been checked for code integrity and screened for vulnerabilities.

Attacks like Log4j show the magnitude of vulnerable open-source software, and because we rely so heavily today on OSS, we need to ensure it’s properly secured. As security professionals, we must equip developers with the security tools for them to confidently build applications with speed.

Why existing approaches to open-source security fall short

While software composition analysis (SCA) tools shift security left to scan for known vulnerabilities throughout the application lifecycle, many are point tools that lack the capacity to handle the interconnectedness and complexity of cloud-native applications. This can lead to costly remediation and delays in application deployment. And even if teams could sift through security findings to prioritize vulnerabilities, they’d still have an incomplete view of their open-source risks because many SCA solutions lack the depth of scanning to uncover all open-source risks.

There’s a major disconnect between developers integrating OSS into codebases and security teams trying to find and prevent vulnerabilities. OSS has become so widespread and complex that developers find even determining what OSS exists in a codebase a steep challenge.

Implement true code security

To overcome these challenges, organizations can follow a few best practices to ensure true code security:

  • Consolidate to create a context-aware approach: Adopt a consolidated security platform approach to addressing risk throughout the code, build, deploy, and run the application lifecycle. Using the same intelligence stream to identify vulnerabilities delivers consistent and accurate visibility into all vulnerabilities in an environment so that the most critical vulnerabilities are addressed first.
  • Strive for visibility and use developer-friendly tools: Open-source software is incredibly dependency-driven. It’s vital to have complete visibility across dependency trees to prevent vulnerabilities from going undetected or unfixed. Implement open-source security that can seamlessly integrate within the tools — such as integrated development environments (IDEs) and version control systems (VCSs) — that developers already use to offer feedback at the right time in the right place. Addressing vulnerabilities during development saves security teams triaging issues while sparing developers the headache of context switching down the line.
  • Actively maintain SBOMs: Continuously update and manage the codebase inventory (including open-source license and version information) of every application component used across codebases. If there’s a vulnerability, SBOMs are crucial because they list all the components in a codebase, the license details, and version history, which allows security teams to quickly identify any associated security risks.

Open-source software has become essential for application development, but if there’s one lesson to take away, it’s that securing OSS has become more critical than ever as cloud-native applications have grown more popular and complex. By leveraging a consolidated approach that offers a holistic and continuous view of the application development lifecycle, organizations can achieve true code security and prevent OSS vulnerabilities from the start of development.

Ankur Shah, senior vice president, Prisma Cloud, Palo Alto Networks

Ankur Shah

Ankur has spent 16+ years bringing innovative security, collaboration and virtualization technologies to market. He is passionate about building products from the ground up into market leaders. He joined Palo Alto Networks through the acquisition of RedLock where he ran product management for securing public clouds. In his current role as a VP of products, he is responsible for driving product strategy, roadmap and execution for public cloud security. In his previous role, he built and led go-to-market efforts for the CASB solution at CipherCloud. Ankur has also held leadership positions at Symantec, Citrix and Cisco. He holds a B.S. in electrical engineering and an MBA from the UCLA Anderson School of Management.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.