The UK government has issued guidance on how organizations should manage their use of open source software (OSS) components and mitigate supply chain risks, as thousands of open source vulnerabilities leave businesses at risk.
Combining guidance from international governments, industry, and academia, the report from the Department of Science, Information, and Technology (DSIT) offers advice on the usage, production, security, and licensing of open source software.
The recommendations, which the report said were selected as the most appropriate for organizations of any size and sector, comprise four best practices it claimed constitute a ‘proportionate and reasonable approach to OSS risk management”.
Firstly, DSIT recommends that businesses should establish an internal OSS policy around managing the adoption of OSS components. Creating a software bill of materials (SBOM) is also essential for tracking OSS components and their various dependencies.
Similarly, organizations should ensure they are continuously monitoring their software supply chain using software composition analysis (SCA) tools to identify vulnerabilities in their codebase or any potential licensing issues.
The report also urged businesses to actively engage with the OSS community, which it says will “attract new talent, level the competitive playing field, foster innovation, improve reputation, and ensure high-quality OSS components and a sustainable OSS ecosystem”.
In addition, DSIT strongly recommends adopting tools to automate OSS management to alleviate time and resource constraints that may fall on smaller organizations.
DSIT report lacks detail on vulnerability management
Chris Hughes, chief security advisor at Endor Labs and cyber innovation fellow at CISA, said he was impressed by the broad and comprehensive range of guidance it has distilled from various resources.
However, he cautioned that some organizations may be overwhelmed by the measures the report suggests and advised they should start with the most basic recommendations before moving forward.
Hughes also noted that the report did not provide specific details on vulnerability management practices that firms will have to familiarize themselves with to mitigate flaws and software supply risks.
“While it touches on vulnerability management and prioritization it didn’t go into much depth in terms of key modern specifics. Examples such as reachability, known exploitation, exploitation probability and organizational context were lacking,” he explained.
“Organizations need to make these improvements to be able to sift through the noisy nature of the vulnerability landscape, especially when it comes to OSS.”
Open source security concerns linger
Open source security has become a growing risk exposing organizations to cyber attacks - and one that has traditionally been neglected by many businesses.
RELATED WHITEPAPER
A recent study from Black Duck found that 86% of codebases contained open source vulnerabilities, with 81% being classified as critical risks, marking a 7% increase on last year’s figures.
The report concluded that the growth in open source vulnerabilities suggests developer organizations are unable to track the vast number of software dependencies they’re using, and not prioritizing the remediation of these flaws accordingly.
This underscores the importance of implementing SCA tools, SBOMs, and similar measures to track and identify vulnerabilities in your organization, Black Duck noted.
MORE FROM ITPRO
- Nearly a million devices were infected in a huge GitHub malvertising campaign
- Java developers are facing serious productivity issues
- 'GitVenom' campaign uses dodgy GitHub repositories to spread malware
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
86% of enterprise codebases contain open source vulnerabilitiesNews Research from Black Duck’s annual open source security report found 86% of codebases contained open source vulnerabilities.
-
Flaws in a popular dev library could let hackers run malicious code in your MongoDB databaseNews A popular third party library of MongoDB could allow attackers to execute malicious code on company servers.
-
Microsoft defends “negligent” security approach that prolonged vulnerability fix for five monthsNews The tech giant has refuted claims that its practices have left customers “in the dark”
-
Google patches second Chrome browser zero-day of 2022News Google acted quickly to secure against the type confusion vulnerability that was under active exploitation
-
Google Chrome update fixes zero-day under active exploitationNews Google releases a fresh wave of patches for severe vulnerabilities that could facilitate code execution and system takeover via Google Chrome
-
CISA updates must-patch bug list for federal agenciesNews Latest collection includes bugs up to seven years old that are still exploited in the wild
-
Visa card holders using Apple Pay warned of payment exploit that bypasses user authenticationNews Commuters are being urged to disable Apple Pay express transit mode for Visa cards
-
Google reveals five high-risk flaws in Chrome browserNews Updated Chrome 93 fixes these serious vulnerabilities
