In a cloud-powered environment, open-source software isn’t just a tool — it’s the fuel that accelerates innovation and promotes transparency. But with growing dependency on OSS for the enterprise codebase comes a heightened need for organizations to proactively address cybersecurity risks while better managing the complexities of their open-source software supply chains. To effectively maintain security and operational efficiencies, organizations are looking at new tools and strategies for open-source software security.

Kosai Inc. is platform that bridges the gap between open-source software maintainers and enterprise consumers, offering solutions to help organizations secure their open-source ecosystems while minimizing risks, according to Jonathan Simkins, co-founder and chief executive officer of Kosai.

“Our mission at Kosai … is to unleash the potential of open-source software by giving open-source maintainers the opportunity to live off their work and software developers the opportunity to rely on its security,” he said.

In the past, most enterprise applications had at least some open source in it. The primary issue at that time was ensuring licensing compliance.

“Now, over three-quarters of the entire enterprise code base is open source. The average application has 526 different open-source projects inside it … and open-source adoption is still growing very rapidly,” Simkins added.

Simkins spoke with theCUBE Research’s Rob Strechay, principal analyst, during an AnalystANGLE segment on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed how open-source software security is no longer a legal compliance issue — it’s a software supply chain risk that needs to be proactively managed, especially for cybersecurity issues.

Growing importance of open-source software security for enterprise applications

Businesses have to manage their software supply chains, but many maintainers of open-source code are volunteers. Typically, they are unable to provide the level of support available from a commercial vendor, such as Microsoft Corp. or Oracle Corp.

“So, we founded Kosai last year to fill this gap. We want to effectively be the adapter that allows these two communities to make a solid connection,” Simkins said.

Innovation is a key driver for open-source adoption. As it continues to grow, companies must adapt while managing the cybersecurity risks that come with it.

“Right now, AI is currently driving innovation. Before that, it was augmented reality. Before that, it was blockchain,” Simkins said. “Maybe the next thing that moves the needle will be quantum computing. What you can say with certainty is that the next big thing is going to be [based on] open source.”

The modern open-source ecosystem offers benefits of transparency and innovation but also introduces risk. The risk has moved beyond what was a contained, proprietary software world to the entire software supply chain. In addition, outdated software and vulnerabilities create cybersecurity risks that organizations must be ready to address.

“Eight-four percent of the enterprise code base contains at least one known open-source vulnerability,” Simkins said. “Seventy-four percent of those are high-risk. [This is] a big increase from where it was in 2022 … when only 48% were high risk.”

This is what happens when you get a big innovation needle mover like AI, which is so new and hasn’t been secured yet. Most organizations are using extremely out-of-date open-source software, according to Simkins.

“Ninety-one percent of enterprise apps use extremely out-of-date open source or … abandonware. That’s a scary number … which means for the vast majority of the code, nobody is supporting it anymore,” he said.

This alarming trend, exacerbated by rapid innovation in fields such as AI, has left companies vulnerable. The speed at which new technologies emerge often surpasses the ability of security measures to keep up, making proactive open-source software security management essential.

“There isn’t a patch coming. When, not if, a big breach happens, there’s no cavalry coming to the rescue. Enterprise software is [essentially] open-source software, and there’s no real distinction anymore. Enterprise software supply chains are deteriorating in terms of safety,” Simkins added.

Shifting left: Open-source software security and developer productivity

The “shift left” movement, which emphasizes performing security checks earlier in the development process, has been widely discussed in enterprise IT. While the concept makes sense organizationally, Simkins noted that it can feel burdensome to developers.

“From the developer perspective, shift left sounds a lot like delegation. ‘This wasn’t my job. I didn’t sign up for this,’” Simkins said. “If it’s badly managed, shift left can lead to attrition.”

The concept of embedding security testing earlier in the software development lifecycle is still sound. However, from the developer perspective, they are under immense pressure to deliver features quickly.

“When there’s bugs and open-source common vulnerabilities and exposures (CVEs) and other tech debt in their way, that’s just simply not going to happen,” Simkins said. “Thing is, developers actually want to deliver features quickly. That’s why most of them chose that profession. A well-run engineering organization strives to deliver that employee experience to their software developers.”

Kosai’s approach aims to take on the responsibility for managing open-source software security, allowing developers to focus on what they do best — innovating.

“What we’re offering really is an easy button to get your developers back to doing what they want to do,” Simkins added.

Engaging with the open-source community

It’s important that businesses engage with and support the open-source community. By doing so, enterprises can ensure the long-term viability of the software they rely on, creating a healthier ecosystem for all, according to Simkins.

“Most software developers that I’ve met are creative types and they want to build things. When you can outsource anything that isn’t building new features, do it,” he said. “As far as I’m aware, we are the first company offering to support extremely outdated versions of open source and abandonware.”

Implementing a rigorous security practice remains essential for organizations, according to Simkins. It also makes sense to leverage any available commercial support when applicable, such as Red Hat, Linux or Databricks. And organizations need to adopt any open-source security tools that are currently available. He also recommends that organizations establish an open-source program office.

“This is where I think you’re really moving into best practice territory. If you have an OSPO, you are definitely way ahead of the curve,” Simkins said.

Talk to your developers, analyze your JIRA data and learn what is consuming developers’ time. By taking a thoughtful data-driven approach, companies can improve productivity and security, he added.

“[This can] help leadership prioritize what to outsource next … and lead to the right tools and vendors … Every business is going to be different. It’s not some one-size-fits-all recommendation,” Simkins said.

Here’s theCUBE’s complete AnalystANGLE segment with Jonathan Simkins:

Photo: SiliconANGLE/Bing