UPDATED 15:31 EDT / DECEMBER 02 2020

SECURITY

Managing open-source risk means bridging the gap between security operations and DevOps

With the popularization of open-source software, the risks of malicious people exploiting their vulnerabilities have also increased. The result is more threats to companies that use these codes and their customers.

The solution is bridging a gap between developer operations and security teams within the enterprises so they can work together to mitigate the risks, according to Wendy Moore (pictured, left), vice president of product marketing at Trend Micro Inc.

“There are some organizations who do this really well; they’re very mature, and their security operations teams and their DevOps teams work very closely together,” Moore said. “Whereas we see some other organizations where dev is at one side of the pipeline and you’ve got security at the other, and they don’t tend to converse or meet — and those are the organizations where there tend to be more challenges.”

Moore and Geva Solomonovich (pictured, right), chief technology officer of global alliances at Snyk Ltd., spoke with Lisa Martin, host of theCUBE, SiliconANGLE Media’s livestreaming studio, during AWS re:Invent. They discussed the risks of ransomware in open-source codes, the need to allow security teams to have visibility into these codes, and how Trend Micro and Snyk are working together to deliver solutions to this problem. (* Disclosure below.)

Increasing the visibility

There are many reasons why open source can be vulnerable to ransomware, according to Solomonovich. “One [is that] the source is open, so just finding the vulnerabilities is much easier than trying to find the vulnerability in proprietary code,” he said.

Another reason, which is the most critical, according to Solomonovich, is that an agent who finds a vulnerability in a well-known open source package can attack not only one company, but thousands, since what makes this software popular is the fact that it is widely used.

“Hackers want to spend their hacking hours where they’re more likely to get a reward, able to get that ransom, or to have the data or do whatever they can,” Solomonovich said. “And open source actually makes it much easier for them than a lot of these other alternatives.”

The difficulty in solving the problem is that the code repository and open-source software have largely been the domain of DevOps, while the security team, which is tasked with managing the organization’s risk, has little or no visibility into what vulnerabilities might exist, according to Moore.

Faced with this challenge, Trend Micro and Snyk have teamed up to develop a technology focused on providing code scanning capability right in the code repository. Through the Trend Micro Cloud One platform, the tool is delivered as a service to the security operations team so they can see anything in the repository and take actions from there.

“The idea with this new solution is it’s going to give the security teams visibility of basically the scale and scope of their open-source situation so that they’ve actually got some data to go have conversations with the DevOps teams and start going in that direction of making those teams work more seamlessly together,” Moore concluded.

Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of AWS re:Invent. (* Disclosure: Trend Micro Inc. sponsored this segment of theCUBE. Neither Trend Micro nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU