It doesn't make much sense: At a time when high-powered automated trading systems can execute stock sales in real time, some companies that rely on open-source software to help to run their businesses track their open-source use on spread sheets on paper.

Lou Shipley, chief executive of Black Duck Software, which sells products to manage and protect open-source software, says the most effective way for companies to understand what is in their open-source software and how to better control it is to use automated processes that scan applications for open-source code, create an inventory of open-source components and check those components against what is in open-source vulnerability databases. Doing this lets companies identify any known vulnerabilities and monitor for any newly reported ones, he said.

Black Duck's Center for Open Source Research & Innovation (Cosri) in 2016 looked at 1,000 applications that were audited by companies considering mergers and acquisitions. Ninety-six percent of the apps included open-source software, with more than 60% of the open-source software harboring known open-source security vulnerabilities.

"As more open source gets into the code base it becomes critical" to take those steps to understand what is in your code and what it may be vulnerable to, said Mr. Shipley in an interview.

As more attention is paid to open-source software in the wake of the Equifax breach, Mr. Shipley said the theft of personal data of around 143 million people should never have occurred. "This was a publicly disclosed vulnerability and there was a patch for it," he said. Equifax "just weren't managing their code."

Equifax said hackers exploited a vulnerability with a U.S. website application called Apache Struts CVE-2017-5638. The company acknowledged the vulnerability was identified and disclosed in early March and said it "took efforts to identify and to patch any vulnerable systems," but some security specialists questioned when and whether Equifax properly patched the vulnerability.

Open-Source Software Left Unpatched

There are a number of reasons why companies don't move quickly to install fixes for their open-source vulnerabilities, said Mr. Shipley. There is the pressure developers feel to get products to market quickly, and he said that pressure intensifies as more of the world's business relies on software to be transacted.

Another reason is, unlike software from companies such as Microsoft, Oracle or SAP SE that send notices of when new patches and fixes are available, there are no notices sent with open-source software updates, he said. Companies go through an evolution of whether to retire some apps and when to do so, and some do a better job than others of staying on top of this task, he said.

"Some companies are not keeping track of that, are not aware they need to patch it," said Mr. Shipley. For example, most engineers or chief information officers don't know how much open-source software they are using. "They need visibility and control and they need to deploy a system to do that and many haven't gotten around to it," he said. "They try to manage it manually, with one guy with spreadsheets, but unless you automate it and put a software system in place, you really are at risk."

Companies wanting to get ahead on this need to look at their application security protocols and make sure they have a strategy for securing apps, both legacy apps and what is getting run and deployed today, said Mr. Shipley. "Do nightly scans of your code," he said. "We recommend as good hygiene that you audit your code to keep track. Our customers, the best ones anyway, are constantly doing that."

Another thing some companies do, and others should consider, said Mr. Shipley, is requiring software developers to provide a "bill of materials" to show what exactly is included in the code. "Think of it as a food label, the list of ingredients on the inside," he said. "That's essentially what a bill of material is. One of the big risks is whether third-party software outsourced from India, China or who knows where. What's in that code? I need a filter to say, when I bring that code into my company, that I know it's safe."

(Ben DiPietro is an editor and reporter for Risk & Compliance Journal. He worked previously as online editor at seafood industry news service Intrafish and as a reporter with Associated Press and Pacific Business News in Hawaii. Write to Ben at [email protected])

Credit: By Ben DiPietro