Focus on Open-Source Security This Cybersecurity Awareness Month
Oct 06, 2022By Team Anaconda
The explosion of open-source software (OSS) in the enterprise prompts a re-examining of the tools and processes that secure the technology critical to modern businesses.
Open-source security is on everyone’s mind these days thanks to breaches like Log4j and global conflict stemming from the war in Ukraine. We’ve seen in recent years how small vulnerabilities in software can be exploited for massive gain by criminal enterprises, mostly through ransomware. Today, open source powers nearly every piece of software or technology and maintaining its security is of the utmost importance.
Security is an ever-evolving job, which is why it’s important to have the right tools and processes in place to maintain security without compromising efficiency. For Cybersecurity Awareness Month, we want to highlight the varied approaches to securing open-source pipelines data scientists are taking, as well as the ways Anaconda is delivering a seamless and secure platform for open-source Python development.
What is open-source security?
Open-source security refers to the processes, tools, roles, and risks associated with open-source software. As community- and volunteer-driven software, open source is unmatched in the innovation it can unlock within organizations and has become instrumental throughout every industry. From developers using open source in their applications to non-technical users leveraging the technology to make their jobs easier, open source is everywhere. With so many ways open source can be embedded into an organization, managing and securing this software is an important function of modern IT departments.
Open Source vs. Commercial Software
There’s a reason why open-source software has permeated nearly every industry; there is simply no better alternative when it comes to enabling innovation and reduced software costs in the long term. Because open-source software is community driven and maintained, any bugs or issues are identified and dealt with out in the open, not behind a black box. This usually means that patches and fixes are deployed quickly across the most widely used open-source tools. With a whole community of developers behind projects, organizations don’t have to commit large amounts of time to maintaining software and can redirect those resources towards more efficient ends.
Still, many businesses have been built on commercial software, so it clearly has some benefits. Commercial software that has been designed to tackle specific industry needs or problems can be well worth the investment for organizations in lieu of building their own software. Additionally, commercial software vendors are incentivized to provide professional levels of support when users run into an issue, something that community-driven forums might not be able to provide an immediate solution for.
At Anaconda, we provide Anaconda Distribution for free to individual users and have invested in multiple open-source Python languages that are accessible to all. On top of our free and open-source software, our commercially licensed software is designed to provide a professional and secure platform for open-source Python programming.
Open-Source Security Learnings From the 2022 State of Data Science Report
This year, Anaconda surveyed thousands of data science students, professionals, and academics to better understand the trends driving open source and Python adoption. When it comes to security, we found more people than ever are involved in OSS creation, maintenance, and evolution. This may introduce risk into the system, but this growth can also be seen as a positive as it allows for more vulnerabilities to be caught and patched more quickly.
When asked about how organizations that use OSS ensure their supply chains are secure and meet enterprise security standards, 40.39% of respondents say they use vulnerability and security scanning software, 32.76% create and use custom and proprietary software, and 27.48% do manual model and application audits. Only 8.70% are not securing their open-source supply chains.
When asked about how organizations that use OSS ensure their data science and ML packages are secure and meet enterprise security standards, 43.03% of respondents say they use a managed repository, 35.76% use a vulnerability scanner (+5.76% YoY), and 34.13% do manual checks against a vulnerability database. 19.17% are not securing their open-source pipelines (-5.83% YoY).
Of the 7.73% of respondents whose organizations are not using open-source software, the biggest reason why is fear of vulnerabilities, potential exposures, or risks (54.48%) (+13.48 YoY).
The Log4j incident in late 2021 was a disruptive and far-reaching example of an open-source security breach. 24.90% of commercial respondents indicated their organizations scaled back their open-source software usage after the incident. But almost 33% have not scaled back their usage of OSS, indicating organizations don’t want to miss out on the affordability, flexibility, and limitless technological advancement opportunities affiliated with open source.
Read more about this year’s State of Data Science report here.
How does Anaconda support open-source security?
In April, we listed six ways we’re investing in our users and platforms to improve security, and since then we’ve made tremendous progress.
With the release of Anaconda Business, we’ve introduced governance controls that make open-source Python accessible to large organizations that must adhere to the strictest levels of security. Now, organizations can reduce their open-source vulnerability risk at the source, ensure open-source licensing compliance, and access and distribute approved-only packages for use across their teams.
One of the chief ways we ensure open-source Python is secure and compliant is through CVE curation. With so many CVEs to sift through, it can be challenging for organizations to know which vulnerabilities are true threats versus which are false alarms. That's why Anaconda's curation team reviews flagged packages, verifies what software the CVE affects, and curates a CVE status and score. Anaconda’s curation empowers organizations to trust CVE scores and easily filter CVEs based on status and the Common Vulnerability Scoring System (CVSS), only allowing packages that pass internal security policies into workflows. For more information on how Anaconda curates CVEs, read our blog.
Open-Source Security Is Everyone’s Responsibility
Cybersecurity Awareness Month is an opportunity to elevate the issue of security and start implementing new or improved solutions. As open-source software proliferates within organizations, it’s important to make sure staff are well trained and versed in the latest cybersecurity trends as well as the specific challenges their departments or industries face. Still, while security is everyone’s job, it’s up to IT teams to manage and govern the open-source tools and repositories that staff rely on.
With Anaconda, users can take the guesswork out of open-source security and trust that the repositories and packages they rely on to do their work are secure.
Explore more Anaconda resources on securing open-source software:
Blog: How Anaconda Is Rallying to Protect Commercial Users From Cybersecurity Threats
White paper: How to Implement an OSS Governance Program for Data Science, Artificial Intelligence, and Machine Learning
On-demand webinar: Know Your Enemy: Vulnerability Data And What To Do With It
On-demand webinar: Rising Threat: Securing Your Open-Source Software Pipeline