CDM-CYBER-DEFENSE-eMAGAZINE-March-2019
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Why should software be any different?<br />
Consumer data and privacy is put at risk daily by the software they use in the PCs, smartphones,<br />
tablets and other consumer devices. The software-based services they use are also at risk. Their<br />
retailers’, banks’, credit monitors’ and governments’ systems are being hacked at a higher<br />
frequency and cost.<br />
Open Source Software – Boon & Bain<br />
A great deal of this is due to the increased use of open source code elements in software today.<br />
It is estimated that more than 90% of the software in development and use today contains open<br />
source. Its use is tied to its ability to be quickly integrated, delivering tremendous levels of<br />
innovation. However, this innovation comes with a cost. In 2018, 16,555 known software<br />
vulnerabilities were published by National Vulnerability Database (NVD), a new record.<br />
The open source community is now constantly finding and publishing new security vulnerabilities.<br />
Consequently, known open source software vulnerabilities become a road-map for hackers to<br />
target and attack businesses’ systems. Those systems that contain known vulnerabilities that<br />
have been left unpatched or unaddressed are likely to fall victim to data loss and theft.<br />
Build Your Own Software Composition “Nutrition” Label<br />
Be it developed in-house, custom-built by a third-party, off-the-shelf or some kind of<br />
amalgamation; the level of software sophistication and complexity continues to grow rapidly.<br />
Someday, in order to better protect businesses and consumers, governments may mandate, like<br />
they have in the food and medicine industries, software composition or “software nutrition”<br />
labeling.<br />
Until that day comes, businesses should require their software vendors to provide them with this<br />
information. Unfortunately, not all software vendors provide this information citing many reasons,<br />
such as protection of proprietary IP, among others. Smart businesses can take a more proactive<br />
approach by analyzing third-party software and building a software component list of their own.<br />
While a great deal of the code delivered today to enterprises is accompanied by documentation<br />
that lists the software components, many third-party vendors do not provide their clients the list<br />
of software components.<br />
Additionally, third-party software products are likely to be a combination of in-house developed<br />
and procured code. This makes analyzing and tracking open source software elements incredibly<br />
challenging. Given that this code is delivered in binary format, businesses have had to take the<br />
composition documentation on faith.<br />
New fingerprint-based binary scanning technologies make building a software “nutrition”<br />
composition label relatively easy and straightforward. Additionally, these scanners find small,<br />
open source code elements, catalog them and match them against databases of known security