From Heartbleed to ImageTragick, vulnerabilities in open source software are repeatedly making headlines, each punching a new security hole in a large portion of the Web. These vulnerabilities are bad, but more importantly they’re extremely prevalent due to the mass adoption of open source software.
But who is responsible for avoiding or fixing these issues? Do we expect an unpaid OSS author to drop everything and rush to fix a newly found vuln? And how likely is a single developer, without a surrounding team, to have the security expertise and tooling needed to avoid the issue in the first place?
Alternatively, do we expect OSS consumers to own securing code they didn’t write? Companies are struggling with auditing their own code and treat OSS as off-the-shelf software, assuming someone else owns its security—if they consider the question at all.
This challenge is fundamental to the future of open source.
Guy Podjarny digs into the core problem elements, demonstrating why this is something we have to tackle together, as a community—OSS authors, OSS consumers, and security tooling providers alike. Guy discusses the steps each needs to own and take so we can keep open source secure together.
Guy Podjarny is Snyk’s co-founder and CEO, focusing on using open source and staying secure. Guy was previously CTO at Akamai following their acquisition of his startup, Blaze.io, and worked on the first web app firewall & security code analyzer. Guy is a frequent conference speaker & the author of O’Reilly “Securing Open Source Libraries”, "Responsive & Fast” and “High Performance Images”.
©2016, O’Reilly UK Ltd • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • firstname.lastname@example.org