Nov 15, 2023

| Membership (fee-based) You'll be asked to sign into your Forbes account. Nov 15, 2023, getty Across the digital marketplace, we’re in an era of high open-source code usage. Tech companies often incorporate open-source code snippets in their own software, while businesses across industries often opt for open-source products for daily work. While there are no doubt convenience and productivity benefits to tapping open-source products and libraries, because anyone can access and modify open-source code, it does present the challenge of ensuring secure software dependencies. It’s essential for organizations that leverage open-source code libraries and products to establish comprehensive strategies—which may include specialized tools—to minimize their vulnerability and security risk and, in the case of tech companies, assure users that their software is built on a secure foundation. Below, members of Forbes Technology Council share effective tools and strategies to help organizations maintain safe, sustainable software dependencies. 1. Publish An SBOM With Every Software Release Publishing a software bill of materials with every single software release, along with a suitable, auditable Software Package Data Exchange (or something similar), is the way forward. It’s an important step in open-source software usage and in earning trust as a software builder or vendor. - Amandeep Midha , Hybrid Greentech Energy Storage Intelligence 2. Don’t Overlook Machine Learning Bills Of Materials One of the most overlooked areas of open-source security is artificial intelligence and machine learning. Third-party and open-source software is often used to build machine learning models, from foundational models to OSS libraries, packages and frameworks. A machine learning bill of materials, or MLBOM, exposes which open-source components are contained in ML models and AI apps to provide context for threat detection and remediation. - Ian Swanson , Protect AI MORE FOR YOU 3. Generate SBOMs For Off-The-Shelf Products An often-overlooked area of software security is open-source component risk in purchased software products that are used to run a business. Generating a software bill of materials for commercial off-the-shelf software can catalog the open-source vulnerabilities they contain so that security risks can be remediated before applications are deployed. - Vince Arneja , CodeSecure 4. Use Modern CI/CD Pipeline And Engineering Tools It’s important to use modern continuous integration and continuous delivery pipeline and engineering tools to automatically discover vulnerabilities, upgrade dependencies, provide comprehensive reporting and analysis on threat exposure, and even recommend performance improvements. When connected with real-time operational feedback, these tools can predict new alternatives, boosting the customer experience and lowering the cost per transaction. - Mark Mahle , NetActuate, Inc. 5. Use A Comprehensive Management Program Use a comprehensive open-source software management program. Just as an organization would inventory any other important asset, open-source usage needs to be managed. A comprehensive program includes conducting regular audits, tracking and monitoring dependencies, and enforcing license compliance. Additionally, consider software composition analysis tools to identify and mitigate security risks with open-source components. - Christopher Daden , Criteria Corp 6. Follow In-House Code Protocols For Open-Source Code Treat open-source code as if you wrote it yourself. Make no assumptions about its security or safety, because there are no guarantees. Use code security and software composition analysis tools—or threat models! Imagine how attackers might exploit the open-source components, and build defenses for each attack. - Ed Adams , Security Innovation 7. Set Up Automated Monitoring Continuous automatic monitoring and updating of software dependencies is an effective technique. This entails using tools and scripts to check for updates, security patches and compatibility issues within your open-source dependencies on a regular basis. - Neelima Mangal , Spectrum North 8. Leverage Behavioral Fingerprinting Tech Establishing software supply chain tracking and being aware of vulnerabilities is an important strategy for organizations that deal with open-source software. A software product or platform is only as secure as the weakest vulnerability in its dependencies. Handling zero-day vulnerabilities in open-source code requires products that incorporate behavioral fingerprinting, a must-have technology. - Supreeth Rao , Theom, Inc. 9. Tap Into The Power Of AI AI enhances open-source dependency management. It can predict vulnerabilities using historical patterns, assign risk scores to libraries and auto-generate patches. Real-time monitoring identifies anomalies, hinting at threats. Automated reviews ensure best practices in open-source integration, and AI-driven analysis aids in future library selection. - Daniel Knauf , Material+ 10. Design With Security In Mind Design code with security embedded, not added on. Leverage microservices to give you flexibility as your needs evolve. Make sure you test continuously, that you know the potential vulnerabilities and that vulnerabilities are addressed within architecture, development and test plans. - Richard Ricks , Silver Tree Consulting and Services 11. Establish A Clear Dependencies Policy Establish a clear policy within your organization regarding which dependencies are acceptable, how often they should be updated and under what conditions they should be replaced. This can guide decision making and risk assessment. Invest in dependency-scanning tools that can analyze your codebase for vulnerabilities and recommend safer alternatives. These tools often integrate with systems such as GitHub. - Meiran Galis , Scytale 12. Consider Blockchain-Based Systems Organizations can explore blockchain-based dependency-management systems. These systems provide transparent, tamper-resistant records of software components and their dependencies, bolstering trust and security while mitigating the risk of vulnerabilities and supply chain attacks. - Sheraz Ahmed , STORM Partners 13. Collaborate On Dependency Defense Collaborate with other organizations and share insights on open-source dependencies. Create a consortium or industry group focused on collective dependency defense. By pooling knowledge and resources, organizations can collectively identify and address vulnerabilities, reducing the risk for all members and promoting safer open-source usage across industries. - Jagadish Gokavarapu , Wissen Infotech 14. Offer Bug Bounties Vulnerability reward programs, or bug bounties, are often used by blockchain protocols and projects. By rewarding external users, organizations harness diverse talent to address threats. This bolsters software security, fosters user trust and underscores a firm’s dedication to data protection. In today’s dynamic cyber threat landscape, VRPs transform vulnerabilities into fortified defenses. - Justin Goldston , Environmental Resources Management - ERM 15. Use Dependencies-Management Libraries, And Audit Regularly Dependencies-management libraries can manage and update dependencies automatically whenever there is a change in your project, whether this change was written by your team or created by incorporating open-source code. Of course, you must also manually audit constantly—these tools diminish the risk, but they don’t eliminate it completely. - Nacho De Marco , BairesDev 16. Implement SSDLC Principles The prevalence of code security issues is on the rise, and the strategies and solutions to address them are known and widely adopted. It’s essential to implement secure software development life cycle principles, adopt a shift-left approach and conduct vulnerability analysis using static application security testing tools and vulnerability scanning. This should be an ongoing, cyclical process where you periodically verify the security of implemented solutions. - Robert Strzelecki , TenderHut 17. Transition To A Microservices Architecture Transitioning to a microservices architecture can isolate dependencies, ensuring that a vulnerability in one part of an application doesn’t necessarily compromise the entire system. With microservices, each function or module of an application operates independently, meaning that dependency issues can often be resolved with minimal impact on the overall system. - Marc Fischer , Dogtown Media LLC 18. Review The Code Audit Trail When using open-source code, look at the audit trail of commits, stories and sharing with other products. Also, make a note to isolate the use of open-source code to functions where sensitive data is not present. Remember, you can choose how open-source code is utilized and when to load it in conjunction with the trail of comments, contributions and transparency. - WaiJe Coler , InfoTracer 19. Look At SCA Tools Software composition analysis tools have emerged as a vital strategy and technology for organizations. These tools are simple to use: They automatically identify open-source components and their associated licenses in a codebase. They can flag potential license-compliance issues or even notify developers about known component vulnerabilities. - Ritwik Bose , Eleviant Tech (CTG Group) Check out my  website .