“Open source software is incredibly important,” says David Harmon, director of software engineering at AMD. “It provides an environment for collaboration and technical advancement. Experienced users can look at the code themselves; they can evaluate it; they can review it and see if the code they’re getting is legitimate and practical for what they’re trying to do.”
But open source software can also compromise an organization’s security posture by introducing hidden vulnerabilities that fly under the radar of busy IT teams, especially with the rise of cyberattacks targeting open source software. Open source software may contain vulnerabilities, for example, that could be exploited to gain unauthorized access to confidential systems or networks. Malicious actors may even deliberately introduce open source software into the software for exploits—“backdoors”—that could compromise an organization’s security posture.
“Open source software helps increase productivity and collaboration, but it also poses security challenges,” says Vlad Korsunsky, vice president of cloud and enterprise security at Microsoft. Part of the problem is that open source software introduces into an organization’s code what can be difficult to verify and track. Organizations often don’t know who made changes to open source code or the intent of those changes, factors that can increase a company’s attack surface.
Complicating matters further, the growing popularity of open source software coincides with the rise of the cloud and its own set of security challenges. Cloud-native applications running on open source software, such as Linux, offer significant benefits, including greater flexibility, faster release of new software features, effortless infrastructure management, and increased agility. But they can also create vulnerabilities in an organization’s security posture, or worse, overburden development and security teams already busy with constant threat signals and endless to-do lists to improve security.
“When you move to the cloud, many of the threat models change completely,” says Harmon. “The performance aspects are still relevant, but the security aspects are more important. No CTO wants to be in the headlines for breaches.”
However, staying out of the news is becoming increasingly difficult: According to Flexera’s State of the Cloud 2024 survey, 89% of businesses are using multi-cloud environments. Cloud spending and security top the list of cloud challenges respondents face. Security firm Tenable reported in its Cloud Security Predictions 2024 report that 95% of organizations surveyed had suffered a cloud breach in the 18 months leading up to the survey.
Security from code to cloud
Until now, organizations have relied on security testing and analytics to examine application output and identify security issues that need to be fixed. But these days, dealing with a security threat requires more than just knowing how it’s configured at runtime. Organizations need to get to the root cause of the problem.
This is a difficult task that requires balancing the efforts of IT security teams, says Korsunsky. “Even if you can establish a connection between code and the cloud, the security team may be reluctant to deploy a solution if they are unsure of its potential impact on the business. For example, a solution may improve security but may also disrupt some functionality of the application itself and negatively impact employee productivity,” he says.
