When organizations embark on securing open-source software within their applications, they are often overwhelmed by the number of discovered vulnerabilities. The initial shock of the sheer volume can be paralyzing, especially for companies that are still building out their open-source governance. However, there is a structured, effective approach that can significantly reduce these risks. Here’s the method I used to reduce vulnerabilities by 99% over two years.
Step 1: Stopping New Vulnerabilities
The first crucial move is to prevent the introduction of new vulnerable components into your applications. This involves setting up robust open-source security policies. Such policies should stipulate that no new components with known vulnerabilities are to be used in the codebase. You can enforce these policies by integrating Software Composition Analysis (SCA) tools into your CI/CD pipeline and configuring them to automatically scan and fail builds when a violation occurs.
The benefit of enforcing security policies early in the software development lifecycle is that it prevents new problems from entering your environment. This foundational step ensures you aren’t compounding the vulnerability debt while addressing existing issues.
Step 2: Classify Your Applications
Classification of your organization’s applications based on their criticality and sensitivity is the next step. Doing so helps in prioritizing which vulnerabilities to address first. You don’t have to reinvent the wheel here, most organizations can leverage existing data classification frameworks or business impact analysis (BIA) classifications to categorize their applications. The outcome of this is that you’ll know which are your critical systems, which are applications that handle sensitive data or are crucial for business operations. And which are your lower priority systems, which are applications that have less business impact and lower sensitivity.
Step 3: Prioritizing Vulnerability Remediation
With applications classified, focus on the most significant risks first. Start by tackling critical and high-severity vulnerabilities in your critical applications.
Tips for managing this stage effectively:
• Avoid overwhelming development teams with exhaustive lists of vulnerabilities. Instead, give them prioritized tasks.
• Filter vulnerabilities further based on exploitability if your SCA tool supports it, or using the Exploit Prediction Scoring System (EPSS) to gauge real-world threat likelihood.
• Collaborate with teams to set realistic remediation deadlines based on workload and risk assessment.
Step 4: Remediate Methodically
Progress gradually through the backlog. Address the critical issues first, and then systematically work down the list. During my experience, even with a daunting number of vulnerabilities at the outset, we managed to drastically reduce the count over two years, without sacrificing development speed.
Step 5: Maintain a Strong Open-Source Security Program
Even after addressing existing vulnerabilities, a long-term strategy is essential to keep your security posture strong. Introduce Service Level Objectives (SLOs) for dealing with newly discovered vulnerabilities in your existing open-source components.
The SLOs should be aligned with the development team’s workflows and be based on the application’s classification, vulnerability severity and exploitability.
Step 6: Keeping Open-Source Components Current
One often overlooked aspect of open-source security is ensuring that components are kept up to date. Using outdated libraries can leave your applications vulnerable, even if they don’t currently have known issues. Regular updates provide access to bug fixes, security patches, and performance improvements.
Strategies to keep dependencies current:
- Scheduled Maintenance: Set aside regular time for teams to update components as part of ongoing maintenance.
- Release Policies: Implement policies that require building on the latest stable releases.
- Automation Tools: Use solutions like GitHub Dependabot or Renovate to automate dependency updates. This approach can simplify the process but should be balanced with manual oversight to avoid breaking changes.
Conclusion
Securing open-source software is a continuous journey, but with a strategic approach, organizations can significantly mitigate risk. By halting the introduction of new vulnerabilities, categorizing and prioritizing remediation efforts, and setting up a long-term maintenance strategy, you can protect your applications and ensure a more secure development environment.
Taking the time to structure your open-source security program will not only help in reducing vulnerabilities but also instill a culture of proactive security within your development teams.