But first: software is eating the world, as the saying goes, and these days much of that munching is happening courtesy of free and open source software. Since the open source software movement first got going in the early 1980 with the GNU Project, the use of open source has grown exponentially. Today, open source libraries and other components can be found in virtually every substantial software application in use.
Census II exposes OSS Security DebtBut the rapid and friction-less adoption of open source isn’t without a cost. Namely: security debt. While the popular wisdom is that the wisdom and energy of the crowd is sufficient to keep open source software components secure and stable, history has indicated otherwise, as bugs like Heartbleed in the ubiquitous OpenSSL software opened the eyes of the security community to the fact that serious bugs and exploitable holes may lurk in other, widely used open source components. But surveying such a massive repository of code is a Herculean task. Better to know which open source components are the most widely used and shared, and which pose the greatest security risks. That’s why the folks at Harvard University’s Laboratory for Innovation Science and The Linux Foundation teamed up on the second open source Census and the first ever census to identify and measure how widely open source software is deployed within applications by private and public organizations. The goal was to draw a more complete picture of FOSS usage including through analyzing usage data provided by partner Software Composition Analysis (SCA) companies. Their report, dubbed “Vulnerabilities in the Core,” and recommendations it offers are a unique insight into the security challenges facing the open source community. To discuss their work, we invited Frank Nagle of Harvard Business School and Mike Dolan of the Vice President of Strategic Programs at The Linux Foundation in to talk about the Census II findings and what they mean for the larger project of securing open source code.
The New Face(s) of Insider ThreatBack in the Watergate era, stealing sensitive data was a cloak and dagger affair. The burglars hired to obtain sensitive strategy documents from the Democratic National Committee needed physical access to offices and file cabinets and went equipped with flash lights, lock picks, and other implements to do the job. [Check out our previous conversation with Code42: “Rethinking Enterprise DLP” ]
(*)Disclosure: Code42 is a sponsor of The Security Ledger. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations. As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.