Episode 176: Security Alarms in Census II Open Source Audit. Also: The New Face of Insider Threats with Code42

In this week’s episode of The Security Ledger Podcast, sponsored* by Code42, we do a deep dive on the security implications of the recently released Census II audit of open source software. We’re joined in our first segment by Frank Nagle of Harvard University’s Laboratory for Innovation Science and Mike Dolan, the Vice President of Strategic Programs at The Linux Foundation. In our second segment: tools like Slack and Microsoft Teams are revolutionizing how workers collaborate and communicate, but they also make it easier than ever for employees or malicious insiders to abscond with sensitive information. Joe Payne the CEO of Code42 joins us to talk about how the challenge of data breach prevention is changing.
But first: software is eating the world, as the saying goes, and these days much of that munching is happening courtesy of free and open source software. Since the open source software movement first got going in the early 1980 with the GNU Project, the use of open source has grown exponentially. Today, open source libraries and other components can be found in virtually every substantial software application in use.

Census II exposes OSS Security Debt

But the rapid and friction-less adoption of open source isn’t without a cost. Namely: security debt. While the popular wisdom is that the wisdom and energy of the crowd is sufficient to keep open source software components secure and stable, history has indicated otherwise, as bugs like Heartbleed in the ubiquitous OpenSSL software opened the eyes of the security community to the fact that serious bugs and exploitable holes may lurk in other, widely used open source components. But surveying such a massive repository of code is a Herculean task. Better to know which open source components are the most widely used and shared, and which pose the greatest security risks. That’s why the folks at Harvard University’s Laboratory for Innovation Science and The Linux Foundation teamed up on the second open source Census and the first ever census to identify and measure how widely open source software is deployed within applications by private and public organizations. The goal was to draw a more complete picture of FOSS usage including through analyzing usage data provided by partner Software Composition Analysis (SCA) companies. Their report, dubbed “Vulnerabilities in the Core,” and recommendations it offers are a unique insight into the security challenges facing the open source community. To discuss their work, we invited Frank Nagle of Harvard Business School and Mike Dolan of the Vice President of Strategic Programs at The Linux Foundation in to talk about the Census II findings and what they mean for the larger project of securing open source code.

The New Face(s) of Insider Threat

Back in the Watergate era, stealing sensitive data was a cloak and dagger affair. The burglars hired to obtain sensitive strategy documents from the Democratic National Committee needed physical access to offices and file cabinets and went equipped with flash lights, lock picks, and other implements to do the job. [Check out our previous conversation with Code42: “Rethinking Enterprise DLP” ]
Joe Payne is the President and CEO of Code42
Joe Payne is the President and CEO of Code42
These days, sending out sensitive strategy documents is as easy as dropping a PDF or Word document into a Slack channel and clicking Send. The whole hareated embrace of the Internet and the growth of remote working and hosted application platforms has been a boon for organizations and productivity. But it also has created tricky problems for companies that want to maximize worker flexibility without losing track of critical or regulated data or valuable intellectual property. To talk about how companies are adapting to the challenges posed by these new tools and platforms, we invited Joe Payne, the President and CEO of Code42, an insider threat detection firm in to the Security Ledger to talk. What’s needed are better monitoring tools that are adapted to the current norm of hybrid on premises and cloud or multi cloud environments, and that are attuned to spotting suspicious patterns of activity on sensitive networks.
(*)Disclosure: Code42 is a sponsor of The Security Ledger. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations. As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloudStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.