Open source is embedded in over 50% of enterprise applications and development environments today yet very few developers are aware of the inherent security risks. What steps should you take to maximize the benefits of open source software while substantially reducing risk?
With more than one billion vehicles on the road and nearly 22 million vehicles recalled in 2013 alone, development teams are increasingly being held accountable to deliver safe, secure software. Unfortunately, automotive functional safety and ISO 26262 certification can be a difficult and lengthy landscape for development teams to navigate. To help with increasing scrutiny and more complex systems, verification and validation by analysis is veering away from dynamic methods towards static analysis tools. In fact, ISO 26262 recommends static code analysis for ASILs B to D.
Security breaches can happen – that’s why it’s more important than ever to understand why secure code matters.
This year’s International Supercomputing Conference brings together leading researchers and organizations dedicated to the science and art of high performance computing (HPC). Rogue Wave Software has long been a supporter of the HPC community and will bring the latest and greatest parallel debugging and code analysis solutions to the conference.
Open source software has become incredibly widespread over the past few years, used by a hugely diverse range of businesses in every sector. Yet there are still a number of areas where open source has yet to be fully embraced. One example of such an arena is securities and derivatives trading.
In a world where we are stressed and pulled in a hundred different directions, it is easy to claim that we do not have the time or energy for things that may seem trivial. For software developers, ignoring the importance of open source software (OSS) is a mistake. OSS is a valuable tool that can save time and money, as well as encourage and expand creativity and collaboration among many talented individuals. So why are some developers hesitant to use OSS, or hesitant to admit they use it? It could be the licenses tied to the code, the vast number of OSS packages to choose from, or the time it takes to become familiar with OSS. Using OSS is not as complex as you might think. Following is a list of ten excuses for not learning OSS, and the answers that I hope will convince you otherwise:
When discussing the pros and cons of open source software (OSS), most people will immediately list legal or security risks with OSS as huge cons. But the truth is the risks are no different than using commercial software. If you violate a commercial license or if the commercial software you use has a security flaw (and we all know commercial software is full of security issues) than the same could be said about commercial software in general. But the truth is you have to be smart about OSS. You have to understand why it’s important to know where it came from, how it’s licensed, and how to use it to lower your risks, just like you do with commercial software.
The OpenSSL Heartbleed issue was a simple mistake with very large consequences. It shows just how vulnerable the world can be when there is a problem in foundational components, especially when those components have become de facto standards. By its very nature, open source software can get adoption at scales that commercial software can only dream of achieving. Standardization, usually considered the strength of open source foundational pieces, was shown to be its own weakness with Heartbleed. This was exacerbated by the fact that not many of us really pay too much attention to OpenSSL. For most of us, we just link to it or use a web server that links to it and it just comes along for a ride in our operating system layer. Keep up-to-date on OS patches and everything should be good, we hope.
Last week we talked about the flaw in OpenSSL known as “Heartbleed” and it’s massive impact on websites and users around the world. We also mentioned how open-source scanning and support tools, such as OpenLogic, report this flaw. Today, we look at how Klocwork handles the issue.
By now, you’ve heard about the OpenSSL flaw that’s capturing the attention of anyone in the world that’s remotely connected with security. Known as “Heartbleed,” this vulnerability allows any enterprising individual to access memory within systems protected by certain versions of the OpenSSL cryptographic library. By accessing memory without authorization, data that you and your end-users care about, such as usernames, passwords, and credit card numbers, are potentially exposed. Given that Netcraft reports that nearly 66% of websites around the world use some form of SSL, this is a seriously bad problem.
If you read a post on The Enterprise OSS Blog, please leave a comment. Let us know what you think, even if it's just a few words. Comments do not require approval, but they are moderated.OpenLogic reserves the right to remove any comments it deems inappropriate.