Building trust and security through open source governance

Adoption of open source software in the enterprise continues to grow, with research suggesting the two largest factors fueling this growth are security and quality. Surprising, perhaps, given revelations of the much-publicised Heartbleed vulnerability discovered in a widely used open source cryptography library earlier this year.

Described by analysts as "catastrophic", the Heartbleed security flaw sent shockwaves through the IT community, highlighting the need for companies to implement procedures to manage the response to security incidents and maintain the trust of their customers and stakeholders. What steps need to be taken to achieve this?

Develop an Open Source Policy

A surprisingly large number of companies embracing open source software do not have clear policies surrounding the use of such software. An open source policy outlines which software packages and libraries are acceptable for use in the organization and prohibits the use of those containing known flaws or vulnerabilities. A clear policy ensures agreement on how open source software can be used within an organization. It also allows staff to assess the suitability of open source software for their business needs, and minimizes the legal, technical, and business risks of using such software.

Proactively Monitor for Updates

Commercial vendors regularly distribute security patches for business-critical software, but open source applications and components don't always have such a proactive process. Open source users can stay informed about new vulnerabilities in open source code by monitoring online security portals such as BugTraq and MITRE CVS, as well as specific development and security communities for each project.

By contrast, security vulnerabilities identified and subsequently fixed in open source projects are generally documented better and delivered sooner than their proprietary counterparts. In the case of Heartbleed, a patched version of the software fixing the bug was released the same day the vulnerability was publicly disclosed.

Communicate Early, Communicate Often

IT security incidents have not historically been widely disclosed, and public communication was often kept to a minimum.

The greater public awareness of privacy and data security in recent years has led to the introduction of legislation in many jurisdictions requiring prescribed responses to certain types of data breaches. When the full implications of Heartbleed were realised, many organisations initiated a rapid and well-coordinated public response, detailing the full impact of the vulnerability on their systems, together with specific measures taken to remedy the issue and advice on how to protect data and online identity following potential breaches. This swift response alleviated fears and provided reassurance to customers and users. It played a vital role in maintaining trust and goodwill critical to any client relationship.

As companies expand their use of software packages and libraries in their business processes, the risk of encountering serious security vulnerability also rises. Corporations can mitigate the risk of serious and potentially devastating security breaches, and demonstrate good governance by following a few simple guidelines. The bottom line is they must implement sensible policies for the use of software, be proactive in maintaining software and updating it when flaws are discovered, and communicate clearly and promptly to clients and customers when issues do arise.