UPDATED 15:31 EDT / DECEMBER 02 2020

SECURITY

Managing open-source risk means bridging the gap between security operations and DevOps

With the popularization of open-source software, the risks of malicious people exploiting their vulnerabilities have also increased. The result is more threats to companies that use these codes and their customers.

The solution is bridging a gap between developer operations and security teams within the enterprises so they can work together to mitigate the risks, according to Wendy Moore (pictured, left), vice president of product marketing at Trend Micro Inc.

“There are some organizations who do this really well; they’re very mature, and their security operations teams and their DevOps teams work very closely together,” Moore said. “Whereas we see some other organizations where dev is at one side of the pipeline and you’ve got security at the other, and they don’t tend to converse or meet — and those are the organizations where there tend to be more challenges.”

Moore and Geva Solomonovich (pictured, right), chief technology officer of global alliances at Snyk Ltd., spoke with Lisa Martin, host of theCUBE, SiliconANGLE Media’s livestreaming studio, during AWS re:Invent. They discussed the risks of ransomware in open-source codes, the need to allow security teams to have visibility into these codes, and how Trend Micro and Snyk are working together to deliver solutions to this problem. (* Disclosure below.)

Increasing the visibility

There are many reasons why open source can be vulnerable to ransomware, according to Solomonovich. “One [is that] the source is open, so just finding the vulnerabilities is much easier than trying to find the vulnerability in proprietary code,” he said.

Another reason, which is the most critical, according to Solomonovich, is that an agent who finds a vulnerability in a well-known open source package can attack not only one company, but thousands, since what makes this software popular is the fact that it is widely used.

“Hackers want to spend their hacking hours where they’re more likely to get a reward, able to get that ransom, or to have the data or do whatever they can,” Solomonovich said. “And open source actually makes it much easier for them than a lot of these other alternatives.”

The difficulty in solving the problem is that the code repository and open-source software have largely been the domain of DevOps, while the security team, which is tasked with managing the organization’s risk, has little or no visibility into what vulnerabilities might exist, according to Moore.

Faced with this challenge, Trend Micro and Snyk have teamed up to develop a technology focused on providing code scanning capability right in the code repository. Through the Trend Micro Cloud One platform, the tool is delivered as a service to the security operations team so they can see anything in the repository and take actions from there.

“The idea with this new solution is it’s going to give the security teams visibility of basically the scale and scope of their open-source situation so that they’ve actually got some data to go have conversations with the DevOps teams and start going in that direction of making those teams work more seamlessly together,” Moore concluded.

Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of AWS re:Invent. (* Disclosure: Trend Micro Inc. sponsored this segment of theCUBE. Neither Trend Micro nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE

A message from John Furrier, co-founder of SiliconANGLE:

Support our open free content by sharing and engaging with our content and community.

Join theCUBE Alumni Trust Network

Where Technology Leaders Connect, Share Intelligence & Create Opportunities

11.4k+  
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+ 
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.

SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.