Remember the good old days of open source, when your main concern was whether you might have inadvertently violated a license or piece of intellectual property? And if you did, well then at worst you'd have to turn over a piece of that software code to the open source community?
Those days are over, of course. Or rather, while the risk of misusing open source remains, there are far bigger dangers -- with corresponding consequences.
Far More Mainstream
Consider, for example, last year's Heartbleed virus, possibly open source's lowest moment. One error exploited in the OpenSSL cryptography library affected hundreds of millions of websites.
Here's another characteristic of the "good old days" for open source: it wasn’t nearly as mainstream, especially among enterprises, as it is now.
"In the last ten years, in spite of the IP risk, open source has become very popular because of the lower development costs, its speed to market and its ability to add new functionality quickly," Bill Ledingham, CTO and executive vice president of Engineering at Black Duck Software, told CMSWire.
Today, he said, one-third of the code base used in Fortune 500 companies can be attributed to open source.
Now here's the big shocker. Many of these companies track their open source use manually, by spreadsheet or some other similar process, Ledingham said.
"There hasn’t been a lot of automation in terms of understanding and tracking the actual open source software that is in use in the enterprise," he added.
A New Offering
That's the gap Black Duck is targeting with its release of a new product, Black Duck Hub. The application will allow customers to identify the open source code used within their software systems and known security vulnerabilities as well as triage, schedule and track remediation.
To that end, it is partnering with Risk Based Security, embedding its VulnDBV within the Black Duck Hub, for further vulnerability intelligence.
The VulnDB has intelligence on more than 119,000 vulnerabilities -- an additional 35,000 vulnerabilities that are not covered in the National Vulnerability Database.
"Public vulnerability resources are incomplete and often lag in reporting many of the most important issues," according to Jake Kouns, CISO of Risk Based Security. "That's why we focused on providing more timely and detailed information through our VulnDB service."
This is roughly how the process will work for end users, Ledingham said. The Black Duck Hub will scan the company's code base. It then creates a list of the components contained the application that is being scanned along with the risk factors associated with the components and the accompanying solution. Then it is lather, rinse, repeat.
"Security is a continual process and new vulnerabilities are discovered all the time," he says. Since last year's devastating Heartbleed virus, another 32 vulnerabilities have been discovered in OpenSSL alone, he added.
'Two Guys Named Steve'
Indeed, a closer look at how security is managed in the open source community shows why this is so.
The code bases are developed and maintained and upgraded by nominally-paid volunteers for the most part. This point was driven home with Heartbleed, when it became clear that the task of keeping this essential code updated fell to "two guys named Steve" -- Steve Henson and Steve Marquess -- at the OpenSSL Foundation, who received about $2,000 a year in donations.
The tech industry, as we know, swooped in to shore up OpenSSL with the creation of the Core Infrastructure Initiative, which will fund priority projects including Network Time Protocol, OpenSSH and OpenSSL.
But companies are still at high risk from Heartbleed because the malware could easily morph, as it did shortly after its first major debut with the launch of Cupid, and because of the long patch cycles in open source and among organizations that use it.