3rd Party Risk Management , Application Security , Governance & Risk Management

Proof of Concept: Overcoming Open-Source Code Security Risks

DXC Technology, Aquia CISOs on Challenges, Best Practices of Managing Code Bases
Clockwise, from top left: Anna Delaney, Mike Baker, Chris Hughes and Tom Field

In the latest "Proof of Concept," DXC Technology Vice President and CISO Mike Baker and Chris Hughes, co-founder and CISO of Aquia, join Information Security Media Group editors to discuss the benefits, challenges and misconceptions of adopting open-source software in modern code bases - plus best practices for securing them.

See Also: Breaking Down Silos With a Holistic View of Security, Risk

"Software asset inventory has been a critical control for decades, and many organizations just don't have a good understanding of what open-source software they're using, whether for internally developed software or that they're consuming from third parties," Hughes said. "When you look at the maintenance of the open-source software ecosystem, some of the metrics are downright alarming: 25% of projects in the open-source ecosystem have one single maintainer contributing code to it, 94% of them have less than 10."

Baker, a CyberEdBoard member, advised organizations to strike a balance between taking advantage of open-source software and mitigating the associated security risks. And make sure to ask the right questions up front.

"Is it a risk acceptance sort of thing, or is it something that you're going to apply slowly across non-mission critical applications or uses?" Baker said. "This is something that organizations need to prioritize starting now, right across all of their software, not just open source, to understand what their third-party risk management program looks like. Is it accounting for software supply chain risk? Are they keeping up with the industry that's rapidly evolving?"

In this Proof of Concept panel discussion, Baker and Hughes joined Anna Delaney, director, productions, ISMG, and Tom Field, vice president, editorial, ISMG, to discuss:

  • Challenges organizations face in consuming and maintaining open-source software components within their code, particularly in terms of visibility and tracking;
  • Common misconceptions about open-source maintainers, and how to better understand and manage code assets;
  • How to take full advantage of open-source software while mitigating security risk.

Baker, who leads cybersecurity for the IT organization at DXC Technology, is an accomplished cybersecurity executive, with 20 years of experience in the field across leadership, talent development, risk management, audit and compliance. He has served as CISO and consultant to clients across multiple industries including aerospace and defense. He manages a team of professionals across internal cyber operations, network defense, policy, awareness, incident response, threat intelligence, secure architecture and reputational protection. Baker serves on the Cybersecurity Maturity Model Certification Accreditation Body Industry Advisory Group.

Co-founder of Aquia, Hughes is the author of Software Transparency: Supply Chain Security in an Era of a Software-Driven Society. He has nearly 20 years of IT and cybersecurity experience ranging from active duty time with the U.S. Air Force, a civil servant with the U.S. Navy and General Services Administration/FedRAMP, as well as time as a consultant in the private sector. He also serves as an adjunct professor for M.S. cybersecurity programs at Capitol Technology University and University of Maryland Global Campus. He also participates in industry groups including the Cloud Security Alliances Incident Response Working Group and serves as membership chair for Cloud Security Alliance D.C. He also co-hosts the Resilient Cyber podcast and holds various industry certifications such as the CISSP/CCSP from ISC2 as holding both the AWS and Azure security certifications.

Don't miss our previous episodes of "Proof of Concept," including the Aug. 10 edition on managing software supply chain woes and the Aug. 31 edition on securing digital services.

About the Author

Anna Delaney

Anna Delaney

Director, ISMG Productions

An experienced broadcast journalist, Delaney conducts interviews with senior cybersecurity leaders around the world. Previously, she was editor-in-chief of the website for The European Information Security Summit, or TEISS. Earlier, she worked at Levant TV and Resonance FM and served as a researcher at the BBC and ITV in their documentary and factual TV departments.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.