Here’s a transcript of the podcast for your convenience.
Hello everybody, my name is Anthony Mogannam. I am the Product Manager of SMB and SME Solutions a Qualys. Today I’m here to talk to you about issues related to open source software.
Open source software is a great way to keep costs low while still utilizing necessary technology for keeping your organization on the cutting edge. However, when utilizing a variety of tools for every aspect of security, the amount of resources needed to manage and maintain that stack grows exponentially. Finding a way to consolidate the amount of security tools in use is beneficial for a number of reasons, including saving manpower and standardizing analytics across multiple vectors.
With the rise of DevSecOps and the transition to the cloud, it’s becoming increasingly more difficult to find open source security software that handles the various aspects of an organization’s security needs within one package.
Finding a platform that consolidates multiple security vectors into one pane of glass really allows organizations to standardize their processes and keep their sites in one place rather than having to worry about potentially missing something across the variety of solutions that they’re using. By exporting with an API, or by just generating their own reports with an Excel. Something that realistically any security professional is moderately worried about is missing something because you’re having to export and that could potentially go wrong.
Smaller organizations are often overlooked by the giants of the security world. Unfortunately security platforms are expensive. This leads small companies to use more and more open source technology as time goes on, and generally this is completely OK. But, unless users and admins are fully educated on the maintenance and general processes within these open source solutions, a number of issues can occur that could lead to other major issues such as security breach. On that note, actually, malicious people online, hackers if you will. I don’t really like that word, but they focus on technologies which are widely used and can easily be accessed. A majority of open source tools are supported by the community that’s using them – allowing the source code to be readily available online for anyone to analyze and contribute to.
This is fantastic in so many ways, but it can lead to information – the source code itself – getting into the wrong hands. A bad example of this is Equifax who famously was using Apache Struts when the major breach happened. Apache is so readily available online, and is so widely utilized by organizations worldwide, it’s an easy target for bad guys. All they have to do is look for applications using Apache that aren’t secured properly, really not that difficult to find, and proceed to exploit from there.
This being said, a vast majority of organizations using Apache keep it well maintained and have no issues whatsoever. It’s really about knowing everything about the solutions you choose to use and keeping completely up to date on any changes or updates that might happen without being announced to the public.
As I mentioned, open source software is open to the public and is generally supported by the community of professionals who use it. This is a fantastic way to get input from people who would usually not have the opportunity to give input and provide insight, perhaps not discovered within a private organization. This process is known to help drive innovation while giving the sense of ownership to a community who relies on it, and has a trust for the input being given. It’s their peers, it’s the people around them using this. It’s a supportive community.
However, this also leads to the possibility of unwanted input being given. Additions that can lead unnoticed changes in said software. Although open source communities are generally very prudent about finding and calling out bad updates and additions, working together to fix or get rid of them, users have to be on top of their game to make sure they don’t implement anything without fully knowing the consequences.
Again, these are rare cases, but something to keep in mind. In order to lend a helping hand here, Qualys recently introduced the Community Edition. This is a completely free version of Qualys available to anyone, whether you are a student, a smaller organization or really just a curious person.
It’s maintained completely within the cloud and is updated invisibly on the backend. Spanning across a variety of security vectors, it allows users to secure network assets including a web application, and provides visibility of all network assets whether on premises or in the cloud.
Open source technology has a huge place in every sector of business. Personally I utilize a bunch of them, in my personal life and at work, and I’ve been thrust into a number of awesome communities because of that. As security professionals, it’s in our given nature to be a little bit extra careful and sometimes that does take looking at other solutions that may be more secure.
With the Qualys Community Edition, you have the ability to assess 16 internal assets and 3 external assets with vulnerability management – either by traditional methods or with the Qualys Cloud Agent. You get one virtual scanner appliance for scanning behind the network, as well as one application within our Web Application Scanning solution.
You also have access to CloudView, which will give complete visibility of your cloud environment, and AssetView, which really provides that 2-second visibility, so you’re able to query things in a moment. Visit Qualys.com/communityedition.