No company still downloads OSS from the internet and uses it in production with no checks, do they? No one would ever download pre-built OSS and use it. Would they?
Of course, you download the source code (so it can be scanned for vulnerabilities) and build it yourself so it's open and transparent what version of what software you are using. Not doing this opens your company up to a potential security nightmare.
Imagine, after a production outage, tracing the culprit to the unchecked use of OSS. Perhaps the OSS binary is not what you thought it was and/or it has a virus built into it. You don't know unless you build it yourself from source.
The use of OSS is growing year on year. The IDC says that OSS is 30% or more of the code at major Global 2000 organizations. But, surprisingly, the use of OSS is frequently uncontolled and unregulated. Do you know what OSS your company is using? Is it controlled?
Typically, even if the binaries are built from source, we don't really know which applications in which environments are using what. Something that is frequently neglected is the tracking of software installed on each server which can be used to quickly assess impact when vulnerable OSS is disclosed.
With Vamos Deploy all dependancies are transparent and visible. When a library is reported as being vulnerable you can assess your exposure by asking Vamos Deploy which applications use it and which servers this OSS is installed in. This is irrespective of OS type (Linux, Windows) or the language used (Java, C++, Python etc).
Vamos Deploy encourages the regulated, safe use of OSS. As the saying goes, "Lets be careful out there!"
No comments:
Post a Comment