公司对开放源代码安全风险视而不见

Flexera周二发布的调查结果表明，许多软件开发人员和企业用户对适当管理开源软件的需求已经松懈或遗忘 。

该报告称，公司不关心开源组件，也无法监视安全隐患，该报告强调了未能建立开源采购和使用政策以及遵循最佳实践的后果。

Flexera对企业中的400多个商业软件供应商和内部软件开发团队进行了投票，调查了他们的开源实践。

根据调查结果，当前使用的软件产品中有一半以上包含开源组件。

Flexera的研究团队认为，开放源代码软件使公司可以灵活地进行开发，但是风险和安全隐患却被严重忽视，并且没有得到充分管理。

Flexera产品管理副总裁Jeff Luszcz说：“我们进行这项研究的目的是要使过去十年中与开源开发人员所见的数字相形见behind。”

他告诉LinuxInsider，2017年的过程仍然令人惊讶的是，在软件开发中使用开源和商业代码的过程和控制很少。

调查重点

回答Flexera调查的人包括软件供应商，物联网制造商和内部开发团队的成员。他们的回应构成了Flexera报告“开源风险-事实还是虚构”的基础。

据Flexera称，开源软件的一个明显好处是，它可以帮助软件供应商提高灵活性并更快地构建产品。该报告揭示了所有软件供应商和物联网制造商都应了解的隐藏软件供应链风险。

· 只有37％的受访者制定了开源采购或使用政策。

· 63％的人说他们的公司没有开源收购或使用政策，或者他们不知道是否存在开源政策。

· 39％的受访者表示，公司内部没有人负责开放源代码合规性，或者他们不知道是谁。

· 33％的受访者表示他们的公司为开源项目做出了贡献。

· 在63％的人说他们的公司没有开源采购或使用政策的情况下，有43％的人说他们为开源项目做出了贡献。

开源是一个明显的胜利。Flexera的Luszcz说，即用型代码可以更快地将产品交付市场，这对于软件开发的迅捷速度而言非常重要。

他补充说：“但是，大多数软件工程师没有跟踪开源使用情况，并且大多数软件主管没有意识到存在差距和安全/合规风险。”

该报告教给软件和物联网公司的主要教训是，他们管理开源安全性和许可的过程并未跟上开源的迅速采用。这使公司及其客户面临风险。

没有安全区

关于哪种类型的软件更安全使用仍存在争议，包括开放源代码或专有软件。Mosaic451的执行合伙人迈克·贝克（Mike Baker）认为，没有比私有软件更安全的 方案。

他对LinuxInsider表示：“通过默默无闻的安全性是行不通的。它从未奏效。”

对于一家私有公司而言，存在明显的明显的结构性利益冲突，以承认其核心产品（其软件）在遭到黑客入侵时会带来可怕的风险。除非被迫，否则私营公司不会承认这些事情。

Baker说，公开代码并允许感兴趣的团体和个人查看您的核心基础结构的好处是，漏洞可以快速公开地公开，并且可以迅速解决。

Linux Academy内容副总裁Terry Cox指出，维护软件安全性是一个周期性的，永无止境的过程，对持续保持警惕的需求在很大程度上导致了安全性失败，无论是在开源还是商业应用程序中，都失败了 。

他对LinuxInsider表示：“至少在使用开源的情况下，我可以立即将其拆散而不会受到 NDA或其他版权限制，从而无法理解和减轻安全隐患。”

未检查的代码有问题

OpenVPN的 首席执行官Francis Dinha指出，在软件开发和企业应用程序中，未经检查地使用开源是一个日益严重的问题 。

他警告说，粗心地使用开源软件给公司带来了巨大的责任，那些选择使用开源软件的人必须首先进行研究。

Dinha告诉LinuxInsider：“使用成熟的，由实际业务开发和支持的开源软件。”

DLA Piper的合伙人Mark Radcliffe表示，大多数开源软件仍然比专有软件更安全，并且许多专有软件供应商在将错误捆绑到发布周期后，修复漏洞的速度也要慢得多 。

他对LinuxInsider表示：“公司应采用强大的OSS使用政策并加以实施。其中部分政策应包括让工程师定期检查项目站点的安全性和其他更新。” “他们应该将OSS的管理集成到他们的开发方法中，并对待与企业资源计划实现的过程相似的过程。”

管理问题

Flexera的Luszcz指出，开源软件采用的一个引人注目的驱动因素是在开发软件应用程序时需要解决技术问题的解决方案。没有人滥用或滥用开放源代码来达到恶意目的。

开发人员希望解决他们遇到的技术问题。他们使用解决了应用程序问题的高质量开源代码。他解释说，但是，他们无权遵循许可并进行修补。

Luszcz说：“对于一家典型的公司来说，这样做的时间不在路线图上。如果您没有在流程中进行，那么它就不会完成。这会增加管理层的负担。” “这不是一个开放源代码的问题。开放源代码很棒。它的组成部分是高质量的，它正在推动创新。这确实是一个管理问题。”

故障时的工作流程问题

Azul Systems 营销副总裁Howard Green指出，开源是当今工程界的一部分， 遵循最佳实践的责任始于开发团队和与之合作的架构师。

他对LinuxInsider表示：“不遵循最佳实践的公司会遇到问题，无论他们是否采用开源。”

Green认为，在将代码投入生产之前，粗心大意或未审查代码并没有明显增加。

他承认，某些组织可能在这方面明显失误，但“除了异常值之外，它们什么都没有。任何高级组织和业务部门主管都需要了解并积极管理推动其业务发展的技术。”

原文题目：Companies Turn Blind Eye to Open Source Security Risks

原文：Many software developers and enterprise users have been lax or oblivious to the need to properly manage open source software, suggest survey results Flexera released Tuesday.

Companies are not mindful of open source components and fail to monitor security implications, according to the report, which highlights the consequences of failure to establish open source acquisition and usage policies, and to follow best practices.

Flexera polled more than 400 commercial software suppliers and in-house software development teams within enterprises about their open source practices.

More than half of the software products currently in use contain open source components, based on the survey's findings.

Open source software allows companies to be nimble in their development, but the risks and security implications are grossly overlooked and not adequately managed, according to Flexera's research team.

"We did this study to put some numbers behind what we have been seeing with open source developers over the last decade," said Jeff Luszcz, vice president of product management at Flexera.

What still is surprising in the 2017 process is how little process and control there is around the use of open source and commercial code in software development, he told LinuxInsider.

Survey Highlights

Among those who responded to Flexera's survey were software suppliers, Internet of Things manufacturers and members of in-house development teams. Their responses formed the basis of Flexera's report, "Open Source Risk -- Fact or Fiction."

A clear benefit of open source software is that it helps software suppliers to be nimble and build products faster, according to Flexera. The report reveals hidden software supply chain risks that all software suppliers and IoT manufacturers should know about.

· Only 37 percent of respondents had an open source acquisition or usage policy.

· Sixty-three percent said either that their companies did not have an open source acquisition or usage policy, or they did not know if one existed.

· Thirty-nine percent of respondents said that either no one within their company was responsible for open source compliance, or they did not know who was.

· Thirty-three percent of respondents said their companies contributed to open source projects.

· Of the 63 percent who said their companies did not have an open source acquisition or usage policy, 43 percent said they contributed to open source projects.

Open Source is a clear win. Ready-to-go code gets products out the door faster, which is important given the lightning pace of software development, said Flexera's Luszcz.

"However, most software engineers do not track open source use, and most software executives do not realize there is a gap and a security/compliance risk," he added.

The key lesson the report teaches software and IoT companies is that their processes for managing open source security and licensing have not kept pace with open source's rapid adoption. That is putting the companies and their customers at risk.

No Safety Zone

A debate still rages over which type of software is safer to use -- open source or proprietary. No scenario exists in which proprietary software is safer than open source, argued Mike Baker, managing partner at Mosaic451.

"Security through obscurity does not work. It has never worked," he told LinuxInsider.

A clear and obvious structural conflict of interest exists for a privately held company to acknowledge that its core product -- its software -- would terrible risks in the event it was hacked. Private companies do not acknowledge these things unless they are forced to do so.

The benefits of exposing code and allowing interested groups and individuals to look at your core infrastructure is that bugs are exposed quickly and publicly, and can be resolved swiftly, Baker said.

Maintaining software security is a cyclical, never-ending process, and the need for constant vigilance contributes in large part to security failures, whether in open source or commercial applications, observed Terry Cox, vice president of content at Linux Academy.

"At least with open source, I can immediately start pulling it apart without NDA or other copyright limitations preventing me from understanding and mitigating my security exposures," he told LinuxInsider.

Unchecked Code Problematic

Unchecked use of open source is a growing problem in software development and enterprise applications, noted Francis Dinha, CEO of OpenVPN.

Careless use of open source software presents a huge liability to companies, those who choose to use it need to do their research first, he cautioned.

"Use open source software that is mature, developed and supported by a real business," Dinha told LinuxInsider.

Still, most open source software is more secure than proprietary software, and many proprietary software vendors are much slower to fix bugs since they are tied into their release cycle, said Mark Radcliffe, a partner at DLA Piper.

"Companies should adopt a robust OSS Use Policy and enforce it. Part of the policy should include having engineers regularly check project sites for security and other updates," he told LinuxInsider. "They should integrate the management of OSS into their development methodology, and treat the process similar to enterprise resource planning-implemented procedures."

Management Problem

A compelling driver for open source software adoption is the need for solutions to technical problems when developing a software application, noted Flexera's Luszcz. Nobody is misusing or poorly using open source code for malicious purposes.

Developers want to solve the technical problems they encounter. They use high-quality open source code that solves application problems. However, they don't have a mandate to follow the licensing and pursue the patching, he explained.

"For a typical company, the time to do that is not on the road map. If you do not have it in your process, then it does not get done. This creeps up on management," Luszcz said. "This is not an open source problem. Open source is great. Its components are high quality, and it is driving innovation. It is really a management issue."

Workflow Issues at Fault

Open source is part of today's engineering landscape, noted Howard Green, vice president of marketing at Azul Systems, and responsibility for following best practices starts with development teams and the architects who work with them.

"Companies that fail to follow best practices will have issues whether they are embracing open source or not," he told LinuxInsider.

There's no apparent increase in carelessness or failure to review code before it goes into production, maintained Green.

Some organizations may stumble quite visibly in this regard, he acknowledged, but "they cannot be characterized as anything but outliers. Senior operations and line-of-business executives need to understand and actively manage the technologies that drive their business."

原文作者：Jack M. Germain

原文链接：https://www.technewsworld.com/story/84890.html

翻译人：田冠宇