Proof of Concept: Overcoming Open-Source Code Security RisksDXC Technology, Aquia CISOs on Challenges, Best Practices of Managing Code Bases
In the latest "Proof of Concept," DXC Technology Vice President and CISO Mike Baker and Chris Hughes, co-founder and CISO of Aquia, join Information Security Media Group editors to discuss the benefits, challenges and misconceptions of adopting open-source software in modern code bases - plus best practices for securing them.
"Software asset inventory has been a critical control for decades, and many organizations just don't have a good understanding of what open-source software they're using, whether for internally developed software or that they're consuming from third parties," Hughes said. "When you look at the maintenance of the open-source software ecosystem, some of the metrics are downright alarming: 25% of projects in the open-source ecosystem have one single maintainer contributing code to it, 94% of them have less than 10."
Baker, a CyberEdBoard member, advised organizations to strike a balance between taking advantage of open-source software and mitigating the associated security risks. And make sure to ask the right questions up front.
"Is it a risk acceptance sort of thing, or is it something that you're going to apply slowly across non-mission critical applications or uses?" Baker said. "This is something that organizations need to prioritize starting now, right across all of their software, not just open source, to understand what their third-party risk management program looks like. Is it accounting for software supply chain risk? Are they keeping up with the industry that's rapidly evolving?"
In this Proof of Concept panel discussion, Baker and Hughes joined Anna Delaney, director, productions, ISMG, and Tom Field, vice president, editorial, ISMG, to discuss:
- Challenges organizations face in consuming and maintaining open-source software components within their code, particularly in terms of visibility and tracking;
- Common misconceptions about open-source maintainers, and how to better understand and manage code assets;
- How to take full advantage of open-source software while mitigating security risk.
Baker, who leads cybersecurity for the IT organization at DXC Technology, is an accomplished cybersecurity executive, with 20 years of experience in the field across leadership, talent development, risk management, audit and compliance. He has served as CISO and consultant to clients across multiple industries including aerospace and defense. He manages a team of professionals across internal cyber operations, network defense, policy, awareness, incident response, threat intelligence, secure architecture and reputational protection. Baker serves on the Cybersecurity Maturity Model Certification Accreditation Body Industry Advisory Group.
Co-founder of Aquia, Hughes is the author of Software Transparency: Supply Chain Security in an Era of a Software-Driven Society. He has nearly 20 years of IT and cybersecurity experience ranging from active duty time with the U.S. Air Force, a civil servant with the U.S. Navy and General Services Administration/FedRAMP, as well as time as a consultant in the private sector. He also serves as an adjunct professor for M.S. cybersecurity programs at Capitol Technology University and University of Maryland Global Campus. He also participates in industry groups including the Cloud Security Alliances Incident Response Working Group and serves as membership chair for Cloud Security Alliance D.C. He also co-hosts the Resilient Cyber podcast and holds various industry certifications such as the CISSP/CCSP from ISC2 as holding both the AWS and Azure security certifications.