The Wipro service helps customers mitigate the security risks of open source software.
As companies embark on business transformation initiatives, C-level execs must understand the risk and governance implications of digitization. Because modern applications and cloud-based infrastructure solutions have numerous open-source components, it opens a whole new set of considerations. Wipro is among many consultancies that have built a practice around creating a suitable open source software (OSS) governance framework.
Reza Alavi, a cybersecurity risk management consultant at Wipro, helps large companies discover how their organizations are using OSS. Alavi and his team then create a risk mitigation strategy and governance plan. In a keynote session at Channel Evolution Europe on 2 December, Alavi will discuss the risks and opportunities. In advance of next month’s conference, Channel Futures spoke with Alavi about why OSS governance is a good practice for IT consultants to offer.
Channel Futures: Do clients need a different security and governance approach for open source software versus the rest of the software they have in their organization?
Reza Alavi: Open source starts with digital transformation. When organizations start considering how their digital transformation projects should look, they consider a number of new technologies. Whether that’s cloud, machine learning, artificial intelligence, security from infrastructure as code and DevSecOps from a DevOps perspective, digital transformation is heavily reliant on open source software. Major companies – such as Microsoft and IBM – have shifted a lot of their attention toward open source software. Some people don’t know it, but 60-70% of Microsoft Azure runs open source software. Now organizations are consuming a lot of open source software, but they don’t know how to deal with it.
CF: Deal with it from what perspective?
RA: From a third-party, risk management, supply chain, license management and clearly from a security and availability management perspective. Because they don’t have enough knowledge around open source software.
|Join 650+ EMEA channel pros – MSPs, resellers, agents, integrators, consultants, distributors and suppliers – at Channel Evolution Europe. Register now for this can’t-miss virtual channel event, 1-2 December.|
CF: How do you help them with that?
RA: First, we provide a gap analysis assessment of what open source software they have. And believe it or not, we find they don’t have the right inventory for open source software. They don’t know what sorts of critical applications are using open source software. And clearly, they don’t know, in terms of risk score, the risks they face with it. So they cannot put in any controls because they don’t know what the risks are. For the inventory, there is no risk control. They normally just stop everything, and they start sandboxing, blacklisting and looking at it from a very traditional security approach. What we do is provide a gap analysis and maturity assessment of the current treatment of open source software in their whole ecosystem. And then we show them what is missing.
CF: Is there typically a lot missing?
RA: Most companies don’t have any policies for open source software; they don’t have any guidelines. On top of that, they don’t have any strategic understanding of open source from a risk versus opportunities and benefits standpoint. So we give them a maturity assessment with a gap analysis to provide them with understanding of the risk versus opportunities on open source.
CF: What happens next?
RA: Then we dive into quite technical stuff in terms of looking at the whole ecosystem. We look at what assets they have, and what assets are consuming open source at what level of the organization. For instance, we have a client that was starting a cloud transformation, looking at hybrid cloud. They consume a lot of cloud related services and software. But then they can’t secure them because they don’t know what they have when it comes to open source. They know containers; they use Docker for instance. But they don’t understand how the concept of how security works with it from open source perspective.
CF: What types of things do you tend to discover when conducting these assessments?
RA: We use the CMMI maturity model. My team has worked with over 100 organizations and we never found any organization that was higher than maturity level 2 for open source software governance. We get all of our clients up to level four at least.
CF: What kinds of risks are these companies typically exposing themselves too?
RA: If you look at different aspects of open source governance, from the discovery up to contribution to the community, the risk is …