This paper is an introductory discussion on the cause of open source software
vulnerabilities, their importance in the cybersecurity ecosystem, and a
selection of detection methods. A recent application security report showed 44%
of applications contain critical vulnerabilities in an open source component, a
concerning proportion. Most companies do not have a reliable way of being
directly and promptly notified when zero-day vulnerabilities are found and then
when patches are made available. This means attack vectors in open source exist
longer than necessary. Conventional approaches to vulnerability detection are
outlined alongside some newer research trends. A conclusion is made that it may
not be possible to entirely replace expert human inspection of open source
software, although it can be effectively augmented with techniques such as
machine learning, IDE plug-ins and repository linking to make implementation
and review less time intensive. Underpinning any technological advances should
be better knowledge at the human level. Development teams need trained, coached
and improved so they can implement open source more securely, know what
vulnerabilities to look for and how to handle them. It is the use of this
blended approach to detection which is key.
Go to Source of this post
Author Of this post: <a href="http://arxiv.org/find/cs/1/au:+Millar_S/0/1/0/all/0/1">Stuart Millar</a>