This year has been the best of times and the worst of times for open source code and security.
On the one hand, the latest survey by Black Duck Software and North Bridge Venture Partners shows that 72 percent of industry professionals prefer open source software because it's more secure than proprietary solutions.
On the other hand, Heartbleed exposed a security flaw in the widely-used, open source OpenSSL encryption tool that affected more than half a million websites. Also this spring, TrueCrypt unexpectedly shut down, citing "unfixed security issues" on its SourceForge page, and a critical bug in Linux, GnuTLS, was finally exposed after having been undiscovered for more than 10 years.
Open source software is widely used in business in webservers running Linux and Apache, in databases, in the Android operating system, in code libraries used by enterprise developers, and embedded into commercial software packages.
Avoiding open source completely is not an option, but blindly trusting the open source community to fix all mistakes is also problematic.
One solution is to use automated code-scanning tools to scan code for known vulnerabilities and common programming errors. Fortunately, the automated tools are getting better every year.
Trust, but verify
Over the past few years, more than 5,000 security vulnerabilities have been found in open source code, according to the National Vulnerability Database.
Ideally, a company would check each of these vulnerabilities against the open source software packages it uses, plus against the open source software used inside commercial packages, and even against pieces of code that their own programmers copied off the Internet.
"The reality is that developers every day cut-and-paste code from open source projects," said Dave Gruber, VP of product management at Black Duck Software.
And large organizations are adding new open source software to their environments all the time, meaning that vulnerability checking has to be an on-going process.
"For organizations that do that manually, it gets very overwhelming very quickly," said Gruber.
Black Duck Software, in addition to running an annual survey about how companies use open source, also offers software scanning tools that help companies find all the open source software, components, and even snippets that they are using, and then check them against the list of known vulnerabilities.
Its 1,400-plus customers include 27 of the Fortune 100, six of the top 10 investment banks, and seven of the top ten software companies. The company currently has more than a million open source projects in its database, Gruber said.
"We track all the major open source forges in the world," he said.
Find new bugs before they bite
Finding and patching known vulnerabilities is important and is a critical first step to securing open source software.
Sign up for CIO Asia eNewsletters.