Open Source Lessons for IoT Companies
Open Source components have been historically difficult for IoT companies to monitor. A well-planned strategy and accompanying tools can make a big difference in your security.
Join the DZone community and get the full member experience.Join For Free
IoT companies monitor for breaches at some level across the organization. But there's deeper exposure today with open source software (OSS) and third-party software within products. A 2017 survey of 400 IoT and software companies, Open Source Risk - Fact or Fiction? shed additional light on this important topic. The survey uncovered:
- Only 37 percent said their companies had open source acquisition or usage policies in place. 43 percent said they didn't. And 19 percent didn't know.
- 39 percent of respondents said that either no one within their company is responsible for open source compliance - or they do not know who is
This data illustrates an operational gap for IoT companies—there is no infrastructure is in place to know the scope of OSS use, monitor for risks, and close any potential breaches.
Lack of Structure Caused Equifax Issues
The OSS community announced the suspected vulnerability on March 7, 2017 along with a patch. But the patch was not applied immediately and the hack was not uncovered until July. The result-143 million consumers exposed, lawsuits and a significant negative impact on reputation.
Software Controls at All Levels of Development Lifecycle
IoT companies need to require software controls. The process begins by implementing protection mechanisms at all stages of the software development cycle, and a realization that decisions made during coding have a bigger organizational impact.
- Requirements and user interface definition phase: identify which features require OSS or third-party use.
- Coding phase: create a process with checks and balances on risks and compliance before adding OSS or third-party code.
- Patch management phase: carefully audit any OSS or third-party code that offers a quick fix for an issue.
Analyze the Software Component of Your Products
Historically, hardware has been the focal point for IoT companies. As more and more software runs behind the scenes, it's time to analyze what's there, what is the source and what is needed to manage it. An OSS audit is a great place to start.
Create Training on OSS Use and Management
OSS use is often behind the scenes. Key stakeholders and development teams need education on possible risks and the importance of a disciplined process for using OSS. The organization should be aligned and committed to a formal OSS methodology.
Develop a Review Board
Engineering, legal, IT and management stakeholders join forces to create a powerful compliance team, often called an Open Source Review Board (OSRB).
Define a Formal OSS Security Strategy and Process
To truly gain the impact needed, document the procedures that everyone will follow, including:
- Review the code you are using. Check what's being used at multiple stages and different code levels.
- Ask your outsourced partners to follow the audit process and document compliance
- Define detailed audit trails to make it easy to find vulnerabilities and fix them
- Create a third party bill of materials for customers and partners. Expect the same from your software vendors.
Explore Software Composition Analysis (SCA) TechnologyMost OSS breaches attack the application layer of software. This means the typical intrusion detection, firewalls, web-based authentication, and identity management systems don't meet protection needs. Scanning technology identifies which source libraries are being used, what hidden third-party libraries are coming in that may pose risk and how much stolen or copied code has crept in without proper attribution.
Don't Be Next-Plan, Scan and Protect
With proactive planning, IoT companies can learn from what occurred with Equifax and Heartbleed, and experience the wins of OSS with minimal risk. Secure and protect your IP and with Software Composition Analysis.
Published at DZone with permission of Jeff Luszcz, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.