Welcome!

Linux Containers Authors: Elizabeth White, Carmen Gonzalez, Yeshim Deniz, Sematext Blog, Liz McMillan

Related Topics: Linux Containers, Java IoT, Industrial IoT, Open Source Cloud, Eclipse, Agile Computing

Linux Containers: Article

What Developers Need to Know About Open Source Vulnerability Management

As a resourceful developer, you’re not writing code from scratch anymore

As a resourceful developer, you're not writing code from scratch anymore. You probably have access to a vast amount of code you wrote at previous jobs, and a lot of your development probably relies at least in some part around third party or open source software. Every savvy developer knows their way around Sourceforge, Codeplex, or GitHub, and with access to readily available code that frees you up to tackle real challenges, there really is no downside to open source code.

Sure, you're probably aware that many open source projects have license obligations tied to them. And licenses are not generally written for developer consumption, so you may be part of a growing contingent of developers that doesn't care about them, but it's likely that your manager cares.

With the increasing complexity of software, organizations are more cognizant than ever about the potential pitfalls of including open source code in their products. Below are some quick tips to continue leveraging open source code, while keeping your manager and legal department happy.

1. Know What to Look For
Security and licensing (i.e., the specific permission of the original author of the open source code) are the two potential vulnerabilities that concern organizations the most. Depending on the type of business, export controls may also be on the radar. But for now we'll focus on the biggest two:

Security Vulnerabilities
Security vulnerabilities exist in both open source and proprietary software. And the exposure of the Heartbleed bug earlier this year illustrated how much heartache these issues can inflict. Here are a few things to keep in mind:

  1. When choosing an open source project, do some research to try and discern if there have been reports of any vulnerability in the code (the National Vulnerability Database (NVD) is a great resource for this).

  2. Always use the most recent version of a project (and preferably one that is actively maintained).

  3. Download projects from a reputable source such as the project's website, or a trustworthy code repository.

License Vulnerabilities
An open source license is the way the code author grants usage permission to the world at large, and dictates the terms under which the license can be used. Open source licenses generally fit into two categories: permissive and restrictive licenses. Permissive licenses such as MIT, BSD, or Apache generally have fewer restrictions on the redistribution of software. Restrictive or copyleft licenses, such as the GPL, place more restrictions on redistribution (e.g. asking you to contribute your derivative work to the open source community) and may require your work to be licensed under the GPL. You can speak to your organization's legal department for a crash course on different license types and what licenses are permitted in your organization, or take a look at various summaries available online.

Before incorporating an open source component in your project it's a good idea to take a look at what (if any) license terms are attached to it. This information can typically be found in a file called COPYING, license.txt or even in a readme file.

Here are three possible licensing scenarios you could encounter when using open source code:

  1. There is no license information available - you should probably avoid using these types of projects as they can cause all sorts of legal headaches for your organization.

  2. There is copyright information, but no license file - in this case, you will need to track down the creator(s) of the project and obtain their consent to use the code. This defeats the time-saving argument for using open source in the first place.

  3. The project has an explicit license - so the project is fair game right? Not so fast. You need to ensure that the license is acceptable for use in your organization. This brings me to the next point...

2. Know Your Boundaries
As open source has moved into the mainstream, many organizations have established formal policies and approval processes around the use of open source code. An open source policy establishes:

  1. Who the stakeholders are.

  2. What licenses are acceptable in an organization.

  3. Which vendors are approved.

  4. Whether or not you need to pre-approve an open source package before you use it.

  5. The steps to take once a policy violation has been detected.

If your organization does not have a formal policy in place, talk to your managers or legal department to see if any license types are off limits, or to find out if there is an existing list of pre-approved packages.

3. Know How to React
Equipped with some research on open source licensing and security vulnerabilities it's now time to decide what to do with this information. Here are a few options:

Do nothing. Use whatever open source packages you want and hope for the best. Quality assurance and legal teams will dislike you. You'll probably create more work for yourself by having to fix issues uncovered during testing, and repeat offenders should probably make sure their resumes and GitHub profiles are up to date, just in case.

Manually track open source packages. You'll be creating a little more work for yourself, but your managers will thank you. Check to make sure that the packages you are using have a license and that the license complies with your organization's policy. Consult the NVD to make sure the package doesn't contain security vulnerabilities. Make sure you commit this information along with your code.

Automate the tracking process. There are various tools available to automate open source package pre-approval and there are even background developer assistant tools that can automatically report on licensing and security issues as code is being developed. These tools can be digitally linked to the organization's policy as well as the NVD to accurately detect license and security vulnerabilities in real time.

By taking a proactive approach and getting involved in open source vulnerability management, you'll save yourself and your organization as a whole from running into roadblocks that stall the development process. Find out if your organization has a license policy and implement some vulnerability management tactics and start developing code worry free.

More Stories By Lacey Thoms

Lacey Thoms is a marketing specialist and blogger at Protecode, a provider of open source license management solutions. During her time at Protecode, Lacey has written many articles on open source software management. She has a background in marketing communications, digital advertising, and web design and development. Lacey has a Bachelor’s Degree in Mass Communications from Carleton University.

IoT & Smart Cities Stories
In his session at 21st Cloud Expo, Raju Shreewastava, founder of Big Data Trunk, provided a fun and simple way to introduce Machine Leaning to anyone and everyone. He solved a machine learning problem and demonstrated an easy way to be able to do machine learning without even coding. Raju Shreewastava is the founder of Big Data Trunk (www.BigDataTrunk.com), a Big Data Training and consulting firm with offices in the United States. He previously led the data warehouse/business intelligence and Bi...
Codete accelerates their clients growth through technological expertise and experience. Codite team works with organizations to meet the challenges that digitalization presents. Their clients include digital start-ups as well as established enterprises in the IT industry. To stay competitive in a highly innovative IT industry, strong R&D departments and bold spin-off initiatives is a must. Codete Data Science and Software Architects teams help corporate clients to stay up to date with the mod...
The Japan External Trade Organization (JETRO) is a non-profit organization that provides business support services to companies expanding to Japan. With the support of JETRO's dedicated staff, clients can incorporate their business; receive visa, immigration, and HR support; find dedicated office space; identify local government subsidies; get tailored market studies; and more.
Tapping into blockchain revolution early enough translates into a substantial business competitiveness advantage. Codete comprehensively develops custom, blockchain-based business solutions, founded on the most advanced cryptographic innovations, and striking a balance point between complexity of the technologies used in quickly-changing stack building, business impact, and cost-effectiveness. Codete researches and provides business consultancy in the field of single most thrilling innovative te...
CloudEXPO has been the M&A capital for Cloud companies for more than a decade with memorable acquisition news stories which came out of CloudEXPO expo floor. DevOpsSUMMIT New York faculty member Greg Bledsoe shared his views on IBM's Red Hat acquisition live from NASDAQ floor. Acquisition news was announced during CloudEXPO New York which took place November 12-13, 2019 in New York City.
With the introduction of IoT and Smart Living in every aspect of our lives, one question has become relevant: What are the security implications? To answer this, first we have to look and explore the security models of the technologies that IoT is founded upon. In his session at @ThingsExpo, Nevi Kaja, a Research Engineer at Ford Motor Company, discussed some of the security challenges of the IoT infrastructure and related how these aspects impact Smart Living. The material was delivered interac...
Atmosera delivers modern cloud services that maximize the advantages of cloud-based infrastructures. Offering private, hybrid, and public cloud solutions, Atmosera works closely with customers to engineer, deploy, and operate cloud architectures with advanced services that deliver strategic business outcomes. Atmosera's expertise simplifies the process of cloud transformation and our 20+ years of experience managing complex IT environments provides our customers with the confidence and trust tha...
Intel is an American multinational corporation and technology company headquartered in Santa Clara, California, in the Silicon Valley. It is the world's second largest and second highest valued semiconductor chip maker based on revenue after being overtaken by Samsung, and is the inventor of the x86 series of microprocessors, the processors found in most personal computers (PCs). Intel supplies processors for computer system manufacturers such as Apple, Lenovo, HP, and Dell. Intel also manufactu...
Darktrace is the world's leading AI company for cyber security. Created by mathematicians from the University of Cambridge, Darktrace's Enterprise Immune System is the first non-consumer application of machine learning to work at scale, across all network types, from physical, virtualized, and cloud, through to IoT and industrial control systems. Installed as a self-configuring cyber defense platform, Darktrace continuously learns what is ‘normal' for all devices and users, updating its understa...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...