by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : February 2015
[BrieFing] Responsibility for secure open source software is, well, complicated. Some believe open source is more se- cure than proprietary software because, as Linus’s Law says, “Given enough eyeballs, all bugs are shallow.” That means that the more widely available open software is, the more scrutiny it will receive, the more flaws will be surfaced and the stronger the code will be. That would be true if components that make up open source code were regu- larly reviewed and if developers veri- fied the security of components before incorporating them into their work. But that’s not always the case. Like automobile assembly plants that build cars with independently manufactured airbag and brake components, software developers often assume that open source components in their supply chain are reliable, patched and up to date. Unfortunately, assumptions like that allow for vulnerabilities like those that were behind the Heartbleed bug. Flaws exist in open source software for a variety of reasons: the components might be old or not mature when they were first used. Or they might not have been audited or adequately tested. But often, once an open source component makes it into a widely used application, it is assumed to be secure, and demand for testing diminishes. It’s not just open source code that’s vulnerable. Much proprietary software uses open source components. Accord- ing to Gartner, 95 percent of all main- stream IT organizations will leverage some element of open source software – directly or indirectly – within their mission-critical IT systems in 2015. And in an analysis of more than 5,300 enterprise applications uploaded to its platform in the fall of 2014, Veracode, a security firm that runs a cloud-based vulnerability scanning service, found that third-party components introduce an average of 24 known vulnerabilities into each web application. To address this escalating risk in the software supply chain, industry groups such as The Open Web Application Security Project. PCI Security Standards Council and Financial Services Informa- tion Sharing and Analysis Center now require explicit policies and controls to govern the use of components, accord- ing to Veracode. The use of open source in federal sys- tems is also attracting scrutiny. In De- cember, House Committee on Foreign Affairs Chairman Ed Royce (R-Calif.) and Rep. Lynn Jenkins (R-Kan.) introduced the Cyber Supply Chain and Transpar- ency Act of 2014 (H.R. 5793) that would have required any supplier of software to the federal government to identify which third-party and open source components are used and verify that they do not include known vulnerabilities for which a less vulnerable alternative is available. The bill also would have required the Office of Management and Budget to issue guidance on setting up an inven- tory of vulnerable software and replac- ing or repairing known or discovered vulnerabilities. Agencies would have had to annually report on the security of projects using open source components and their suppliers for reference by other agencies. The bill is important because, as Rep. Royce said in his introductory remarks, much of nation’s economy relies on soft- ware with open source components. “It is precisely because of the im- BY SUSAN MILLER How secure are your open source-based systems? GCN FEBRUARY 2015 • GCN.COM 5 continued on page 6 Use of open source is attracting the scrutiny of federal legislators, including House Foreign Affairs Committee chairman Ed Royce (R-Calif.) who voiced concerns that the nation relies on the security of the software. APIMAGES 0215gcn_005-016.indd 5 2/3/15 10:41 AM