https://www.channelfutures.com/wp-content/themes/channelfutures_child/assets/images/logo/footer-new-logo.png
  • Home
  • Technologies
    • Back
    • SDN/SD-WAN
    • Cloud
    • RMM/PSA
    • Security
    • Telephony/UC/Collaboration
    • Cable
    • Mobility & Wireless
    • Fiber/Ethernet
    • Data Centers
    • Backup & Disaster Recovery
    • IoT
    • Desktop
    • Artificial Intelligence
    • Analytics
  • Strategy
    • Back
    • Mergers and Acquisitions
    • Channel Research
    • Business Models
    • Distribution
    • Technology Solutions Brokerages
    • Sales & Marketing
    • Best Practices
    • Vertical Markets
    • Regulation & Compliance
  • MSP 501
    • Back
    • 2022 MSP 501 Rankings
    • 2022 NextGen 101 Rankings
  • Intelligence
    • Back
    • Galleries
    • Podcasts
    • From the Industry
    • Reports/Digital Issues
    • Webinars
    • White Papers
  • Channel Futures TV
  • EMEA
  • Channel Chatter
    • Back
    • People on the Move
    • New/Changing Channel Programs
    • New Products & Services
    • Industry Honors
  • Resources
    • Back
    • Advisory Boards
    • Industry Organizations
    • Our Sponsors
    • Advertise
    • 2022 Editorial Calendar
  • Awards
    • Back
    • 2022 MSP 501
    • Channel Influencers
    • Circle of Excellence
    • DE&I 101
    • Channel Partners 101 (CP 101)
  • Events
    • Back
    • CP Conference & Expo
    • MSP Summit
    • Channel Partners Europe
    • Channel Partners Event Coverage
    • Webinars
    • Industry Events
  • About Us
  • DE&I
Channel Futures
  • NEWSLETTER
  • Home
  • Technologies
    • Back
    • SDN/SD-WAN
    • Cloud
    • RMM/PSA
    • Security
    • Telephony/UC/Collaboration
    • Cable
    • Mobility & Wireless
    • Fiber/Ethernet
    • Data Centers
    • Backup & Disaster Recovery
    • IoT
    • Desktop
    • Artificial Intelligence
    • Analytics
  • Strategy
    • Back
    • Mergers and Acquisitions
    • Channel Research
    • Business Models
    • Distribution
    • Technology Solutions Brokerages
    • Sales & Marketing
    • Best Practices
    • Vertical Markets
    • Regulation & Compliance
  • MSP 501
    • Back
    • 2022 MSP 501 Rankings
    • 2022 NextGen 101 Rankings
  • Intelligence
    • Back
    • Galleries
    • Podcasts
    • From the Industry
    • Reports/Digital Issues
    • Webinars
    • White Papers
  • Channel Futures TV
  • EMEA
  • Channel Chatter
    • Back
    • People on the Move
    • New/Changing Channel Programs
    • New Products & Services
    • Industry Honors
  • Resources
    • Back
    • Advisory Boards
    • Industry Organizations
    • Our Sponsors
    • Advertise
    • 2022 Editorial Calendar
  • Awards
    • Back
    • 2022 MSP 501
    • Channel Influencers
    • Circle of Excellence
    • DE&I 101
    • Channel Partners 101 (CP 101)
  • Events
    • Back
    • CP Conference & Expo
    • MSP Summit
    • Channel Partners Europe
    • Channel Partners Event Coverage
    • Webinars
    • Industry Events
  • About Us
  • DE&I
    • Newsletter
  • REGISTER
  • MSPs
  • VARs / SIs
  • Agents
  • Cloud Service Providers
  • Channel Partners Events
 Channel Futures

MSSP Insider


Shutterstock

Open source security

Take a Smart Approach to Open Source Security Training and Policies

  • Written by Todd R. Weiss
  • December 5, 2018
When it comes to IT security training and policies for employees, these are some things to know about the unique needs of using open source inside businesses.

As more channel partners and MSSPs help business customers begin or expand open source deployments and services, IT leaders must be sure to integrate related security training and policies for open source use to keep systems, developers and critical data safe and secure.

For many IT security tasks, the work is the same for both proprietary and open source applications and development environments, but with some tasks, open source security adds new responsibilities and procedures for training and policies that must be identified and supplemented from the start.

IDC's Jim Mercer

IDC’s Jim Mercer

One thing to remember, said Jim Mercer, a DevOps analyst with IDC, is that different open source projects can offer businesses varied amounts of diligence when it comes to security, depending on the project.

“For example, a project that has an active community and is updated frequently will generally be more proactive about security vulnerabilities and may have code that is actually more secure than your own code,” Mercer told Channel Futures. “However, projects with less activity or that have become stale may fall behind in security due diligence.”

To best protect businesses, development teams must be schooled on what the attributes of a secure open source project look like and must ensure proper code and policy examination before introducing new open source code into an application, he said.

“At the end of the day, when it is being using by your application, the security problem belongs to you.,” said Mercer. “Keeping track of all the OSS, builds, releases, vulnerabilities and fixes can get complex really fast.”

In training developers regarding security and open source use, it’s important to remember that not all developers will become security experts, added Mercer. “Organizations can mitigate this by keeping some security experts on staff who can help create the necessary procedures and checks and balances for using and maintaining security with open source. These experts can form a Center of Excellence on how open source library security is managed. They also may have a wider vantage point since they are providing a common service to multiple teams.”

Open Source Policy Additions

The Linux Foundation's Mike Dolan

The Linux Foundation’s Mike Dolan

With security policies for proprietary and open source development and use, the usual suspects such as general policies around acceptable use and access control as well as plans for disaster recovery and incident response should be included, said Mike Dolan, vice president of strategic programs for the nonprofit open source advocacy group, The Linux Foundation.

But when it comes to open source development and use, policies that should specifically be included are things like the establishment of guidelines for secure coding best practices, the utilization of peer reviews to check code before it is shared or implemented and rules that mandate incremental code updates with ongoing testing at every step, said Dolan.

“It is important that all policies be clearly communicated to employees at all levels — not only to IT staff — as anyone within an organization can potentially cause a security breach,” he said.  “Staff should receive training on what the policies are, and how best to stay secure. Technical staff may benefit from further formal training around building secure software.”

Other topics that should be included in the open source policies are evaluation of all software to include security reviews, testing to ensure deployment will not negatively impact an organization’s security, access control policies and acceptable use policies, said Dolan.

Clyde Seepersad, the general manager for training and certification for The Linux Foundation, added that it is also critical to think of the training aspect of security as a process rather than an event.

“Companies should make the effort to develop rolling training agendas which ensure both a buildup of skills over time and an ongoing refresh as practices are constantly improving,” said Seepersad. “Keeping track of the human talent around security should be handled with the same structure and follow through as keeping track of code in use.”

Extra Diligence Needed

Red Hat's Vincent Danen

Red Hat’s Vincent Danen

At open source vendor Red Hat, Vincent Danen, the director of product security, said that using open source inside a company’s development environment requires a little more diligence and awareness, compared to similar practices for proprietary software.

“Given how easy it is to come by a random piece of open source software, see that it meets your needs and then to start using it without any validation whatsoever probably isn’t a great idea,” said Danen. “Also, recognizing that things you pull from GitHub or other repositories means you need to keep tabs on it. Unlike proprietary software that you’d receive updates for via an update service or mechanism, with much open source pulled from various sources you need to manually be aware of updates and manually pull those changes in. You likely want policies around watching and monitoring the upstream sites of the software you use.”

At the same time, “the real training that users and developers need to undergo is a reinforcement of general organizational risk and IT security practices,” added Danen. “Are you able to download whatever applications or code that you think you might need? Should you? What is the protocol for using unverified code from a public repository? What systems can it be run on, and so on. These are the questions that should be asked, regardless of whether the software is open source or not.”

A critical concept for security teams to instill when using open source is the idea of instilling “security hygiene” across their organizations, said Danen. “This means adhering to common, accepted security standards, like changing default passwords, not using unverified software whether open source or not, and not falling for socially-engineered malicious schemes, such as spear-phishing.”

Working with an enterprise open source vendor can help with these tasks, he added. “By leveraging the expertise of an enterprise vendor, a significant part of the cost of proactive security is covered in licensing or subscription costs.”

To help with open source use policy creation, Danen said he’d also suggest that CISOs, CSOs and other security leaders have a good understanding of what their company’s acceptable risk profile might include. “Are they comfortable with developers running software in R&D environments, regardless of provenance?” he asked. “What about end users? If not, what kind of restrictions do they want to put in place? It’s these questions that should be asked first and foremost when it comes to software. Open source is incredibly important to business success but security is universal.”

SUSE's Gerald Pfeifer

SUSE’s Gerald Pfeifer

Gerald Pfeifer, the vice president of products and technology programs for open source vendor SUSE, said it’s important to remember that while open source security and training can bring different challenges to business users, they are not unique challenges.

“Like a human body, every complex bit of hardware or software will have vulnerabilities,” he said. “And like a healthy body, a healthy ecosystem or vendor will be able to address those vulnerabilities. Just note that proprietary systems are not inherently more secure, or we would not be having all those Meltdown and Spectre disclosures this past year when microprocessors are about the most proprietary pieces of technology one can imagine.”

Tags: MSPs Cloud and Edge MSSP Insider Security Training and Policies

Most Recent


  • Black Hat logo
    Black Hat USA 2022: DNSFilter, NetWitness, BlackBerry, CrowdStrike, More
    The event marks the 25th Black Hat USA.
  • APAC map night sky
    New Google Cloud Regions Coming to Malaysia, Thailand, New Zealand
    The cloud provider aims to capitalize on soaring demand in Asia Pacific.
  • Business handshake
    Nexus IT Merges with Intelitechs, Advances 5-Year Growth Strategy
    The merger adds value to product and service offerings, the companies said.
  • Disaster recovery ignition button
    IGEL Rolls Out New Disaster Recovery Program in Response to Malware, Ransomware
    Organizations should be prepared for not if, but when a cyberattack will occur.

Leave a comment Cancel reply

-or-

Log in with your Channel Futures account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

Related Content

  • White House
    White House to Private Sector SMEs: Get Serious About Cybersecurity
  • zero trust security
    Leveraging Partner Expertise to Build a Zero-Trust Strategy
  • Security Vulnerability
    Older Fortinet Vulnerabilities Lead to Attack on Local Government Office
  • Threats
    Cybersecurity and Threat Protection: MSSPs, Get Your Advice Here

Upcoming Events

View all

MSP Summit

September 13, 2022 - September 16, 2022

Channel Partners Conference & Expo

May 1, 2023 - May 4, 2023

Galleries

View all

Channel Futures and Channel Partners Ready Trio of Powerhouse Summits

August 11, 2022

Black Hat USA 2022: DNSFilter, NetWitness, BlackBerry, CrowdStrike, More

August 10, 2022

Samsung Unpacks Galaxy Z Fold4 Foldable Phone with Multitasking PC Features

August 10, 2022

Industry Perspectives

View all

Seize the Application Modernization Opportunity

August 2, 2022

A Growth Mindset: Your Organization’s Strategic Differentiator

August 1, 2022

Timely Tips for Non-Negotiable Patch Updates

July 29, 2022

Webinars

View all

Outsmarting RaaS: Implementation Strategies To Help Your Clients Before, During, and After a Ransomware Attack

August 23, 2022

Why it is Important to Upgrade Aging Servers and How to use Live Optics to Upgrade Efficiently

August 25, 2022

Executives at Home are Not Alright: An Intro to Digital Executive Protection

September 8, 2022

White Papers

View all

Work Goes Remote – (and Other Top ITOps Trends)

May 25, 2022

The New Bottom Line: How MSPs Can Meet the Healthcare Crisis While Evolving Their Businesses

April 19, 2022

How to build a Security Operations Center (on a budget)

April 4, 2022

Channel Futures TV

View all

ThreatLocker Preaches Zero Trust, Addresses Industry Competition

ScienceLogic Debuts New Partner Portal

August 9, 2022

Vonage a ‘Single Communications Stack Provider’ for Partners, Customers

June 27, 2022

IBM, Partners and the $1 Trillion Hybrid Cloud Opportunity

June 26, 2022

Twitter

ChannelFutures

Have you registered for the @MSP_Summit yet? It’s just about a month away, so don’t wait. Here’s a sneak preview of… twitter.com/i/web/status/1…

August 11, 2022
ChannelFutures

Read about @adaptivnetworks's new distribution partner. dlvr.it/SWQFh3 https://t.co/az12SeMU7X

August 10, 2022
ChannelFutures

A succession crisis has been brewing in the channel. Are you thinking about how to develop leaders?… twitter.com/i/web/status/1…

August 10, 2022
ChannelFutures

Looking for clues about the upcoming #Rackspace #restructuring? We have a little insight from yesterday’s earnings… twitter.com/i/web/status/1…

August 10, 2022
ChannelFutures

Ready for more @GoogleCloud in #AsiaPacific? Find out where channel partners will be able to take advantage of new… twitter.com/i/web/status/1…

August 10, 2022
ChannelFutures

[email protected] has been a key figure in both the TSB market and the channel DE&I community. @Telarus… twitter.com/i/web/status/1…

August 10, 2022
ChannelFutures

.@SamsungMobileUS launches new #GalaxyZFold4 and Galaxy ZFlip 4 at #SamsungUnpacked. dlvr.it/SWP38j https://t.co/nY6KLrk1E4

August 10, 2022
ChannelFutures

#BHUSA kicks off with news from @DNSFilter, @NetWitness, @BlackBerry, @CrowdStrike, more. dlvr.it/SWNvrj https://t.co/oDI6vf5CdX

August 10, 2022

MSP 501

The industry's largest and most comprehensive partner awards program.

Newsletters and Updates

Sign up for The Channel Report, Channel Futures Update, MSP 501 Newsletter and more.

Live Channel Events

Get the latest information on the next industry-leading Channel Partners event.

Galleries

Educational slide shows and images from live events.

Media Kit And Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • Channel Partners Events
  • Telecoms.com
  • MSP 501
  • Black Hat
  • IoT World Today
  • Omdia

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Newsletter

FOLLOW Channel Futures ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookie Policy
  • Terms
Copyright © 2022 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X