The open source development model is based on interactions among project developers, platform creators, and end-users. These interdependent, overlapping communities constitute a ‘triple fence' that keeps projects free of malicious and exploitable code. Ideally, communities work together to improve code quality over time – catching security flaws in the process.
The triple fence is an intriguing concept. Unfortunately, it's not clear whether it's enough to secure open source projects (as with OpenSSL and bash). In theory, many eyes look at open source code as it's developed. In practice, too many of these eyes are busy elsewhere, and too few are security savvy. What's missing is ongoing curation. Too few people maintain code that may be months or even years overdue for security review.
Open source code might be presumed mature, but could rely on technology developed a decade earlier and might contain significant vulnerabilities. Open source security vulnerabilities arise from many causes, including misconfiguration by end users, programming errors, and short-sighted protocol design – all of which adds to the difficulty of finding and remediating them.
How do you overcome this challenge? The key is ensuring use of the most current versions of open source project code and applying the most recent patches – a process I call “open source hygiene.” This assures your open source software code base comprises the most resilient code available. Visibility into where open source code “lives” within your stack makes this level of control possible.
With modern code bases comprising tens of millions of lines of code, automation is key to realizing the benefits of open source hygiene. While human oversight is necessary, truly effective open source hygiene comes from orchestrating automated scanning with build engines and continuous integration platforms.