In a cloud-powered environment, open source software is not just a tool; it is the fuel that accelerates innovation and promotes transparency. But with the growing reliance on OSS for the enterprise codebase comes a greater need for organizations to proactively address cybersecurity risks while better managing the complexity of their open source software supply chains. To effectively maintain security and operational efficiency, organizations are looking to new open-source software security tools and strategies.
Kosai Inc. is a platform that bridges the gap between open source software administrators and enterprise consumers, providing solutions to help organizations secure their open source ecosystems while minimizing risk, said Jonathan Simkins, co-founder and CEO of Kosai.
“Our mission at Kosai … is to unleash the potential of open source software by giving open source maintainers the chance to make a living from their work and software developers the chance to trust its security,” he said.
In the past, most enterprise applications included at least some open source. The main problem at that time was ensuring compliance with the licensing terms.
“Now more than three-quarters of the entire enterprise code base is open source. The average application contains 526 different open source projects… and open source adoption is still growing very quickly,” said Simkins.
Simkins spoke with Rob Strechay of theCUBE Research, lead analyst, during an AnalystANGLE segment on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed how open source software security is no longer a matter of legal compliance, but a software supply chain risk that must be managed proactively, especially when it comes to cybersecurity issues.
Increasing importance of open-source software security for enterprise applications
Companies need to manage their software supply chains, but many open source code maintainers are volunteers. Typically, they are unable to provide the level of support available from a commercial vendor, such as Microsoft Corp. or Oracle Corp.
“So we founded Kosai last year to fill this gap. We want to effectively be the adapter that enables these two communities to create a solid connection,” said Simkins.
Innovation is an important driver for the adoption of open source. As cybersecurity continues to grow, companies must adapt while managing the cybersecurity risks that come with it.
“AI is currently driving innovation. Before that it was augmented reality. Before that it was blockchain,” says Simkins. “Maybe quantum computing will be the next thing that will move the needle. What you can say with certainty is that the next big thing will be (based on) open source.”
The modern open source ecosystem offers benefits in terms of transparency and innovation, but it also comes with risks. The risk has expanded beyond what was a contained, proprietary software world, to the entire software supply chain. Additionally, outdated software and vulnerabilities pose cybersecurity risks that organizations must be able to address.
“Eighty-four percent of the enterprise code base contains at least one known open-source vulnerability,” Simkins said. “Seventy-four percent of them are high risk. (This is) a big increase from 2022… when only 48% were high risk.”
This is what happens when you get a big innovation needle mover like AI, which is so new and not secured yet. According to Simkins, most organizations use extremely outdated open source software.
“Ninety-one percent of enterprise apps use extremely outdated open source or… abandonedware. That’s a scary number, meaning that for the vast majority of code, no one supports it anymore,” he said.
This alarming trend, exacerbated by rapid innovation in areas such as AI, has left companies vulnerable. The speed at which new technologies emerge often outpaces the ability of security measures to keep pace, making proactive open source software security management essential.
“There will be no patch. When a major breakthrough occurs, and not if, no cavalry comes to the rescue. Enterprise software is (essentially) open source software and there is no real distinction anymore. Enterprise software supply chains are deteriorating in terms of security,” said Simkins.
Shifting left: Open-source software security and developer productivity
The “shift left” movement, which emphasizes performing security checks earlier in the development process, has been widely discussed in the IT world. While the concept makes organizational sense, Simkins noted that it can be burdensome for developers.
“From a developer perspective, Shift Left sounds a lot like delegation. ‘This wasn’t my job. I didn’t sign up for this,” Simkins said. “If poorly managed, a shift to the left could lead to exhaustion.”
The concept of embedding security testing earlier in the software development lifecycle is still a good idea. However, from the developer’s perspective, they are under enormous pressure to deliver features quickly.
“If bugs, common open-source vulnerabilities and exposures (CVEs), and other technical debt get in the way, that’s just not going to happen,” Simkins said. “The point is that developers actually want to deliver features quickly. That’s why most of them chose that profession. A well-run engineering organization strives to deliver that employee experience to their software developers.”
Kosai’s approach aims to take responsibility for managing open source software security so developers can focus on what they do best: innovating.
“What we’re offering is basically an easy button that lets you get your developers back to doing what they want to do,” Simkins added.
Involvement in the open source community
It is important that companies engage with and support the open source community. By doing this, enterprises can ensure the long-term viability of the software they rely on, creating a healthier ecosystem for everyone, Simkins said.
“Most software developers I’ve met are creative types and they want to build things. If you can outsource something that doesn’t bring new features, then do it,” he said. “As far as I know, we are the first company to offer extremely outdated versions of open source and desertware.”
According to Simkins, implementing rigorous security practices remains essential for organizations. It also makes sense to take advantage of any available commercial support, such as Red Hat, Linux or Databricks, if applicable. And organizations should adopt all open-source security tools currently available. He also recommends that organizations establish an open-source program office.
“Here I think you’re really entering the realm of best practice. If you have an OSPO you are certainly way ahead of the curve,” said Simkins.
Talk to your developers, analyze your JIRA data, and find out what’s costing developers time. By taking a thoughtful data-driven approach, companies can improve productivity and safety, he added.
“(This can) help leadership prioritize what to outsource next… and lead to the right tools and suppliers… Every company will be different. It is not a one-size-fits-all recommendation,” said Simkins.
Here’s theCUBE’s full AnalystANGLE segment with Jonathan Simkins:
Photo: SiliconANGLE/Bing
Your support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, in-depth, and relevant content.
Join our community on YouTube
Join the community of over 15,000 #CubeAlumni experts including Amazon.com CEO Andy Jassy, Dell Technologies Founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more celebrities and experts.
THANK YOU
