Open source empowers organizations to pursue their business transformations with greater agility and control while avoiding vendor lock-in. However, components with potential security vulnerabilities are not identified and remediated by organizations before consuming them. Security risks are further enhanced in the absence of formal security policies and controls. This risk elevation amplifies the need for security for open source projects.

Wipro’s Open Source Security Program

Wipro has instituted an open source security program to secure open source projects and standardize open source security assessment. The program is designed to deliver enterprise grade trusted and verified open source software (TAVOSS) and customized open source security services to customers. The program comprises of open source security lab, open source security projects and open source community necessary to enable platform scale open source security. Be-Secure is a platform and an umbrella project of open source security tools, sandbox (security assessment) environment, and utilities for the open source security community. The Be-Secure platform aggregates various open source security tools and services to offer security assessments efficiently. The open source security lab is offered as an enterprise service.

There are several ways to deploy open source technologies and develop an open source solution. An organization needs to narrow down to a select list of trusted and secured open source components to build open source solutions. Due to the very nature of open source, keeping all open source components updated is a tedious and time-consuming process. An organization must keep track of all changes that happen across the open source software technology stack. 

Open source projects have been categorized into five open source security tech stacks or Be-Secure tech stack to help standardize security assessments of open source projects.

• DevOps Security [DO]: is a Be-Secure tech stack to secure various open source DevOps tools like Ansible, Jenkins, Kubernetes etc.
• Language & Framework Security [L&F]: is a Be-Secure tech stack to secure various open source languages and frameworks, e.g., Ruby & Rails, PHP & Symphony, Python & Django, JavaScript and Angular/NodeJS
• Application Security[A]: is a Be-Secure tech stack to secure fully functional open source applications like Drupal, Magento, Odoo etc.
• Distributed & Decentralized Application Security [DA]: is a Be-Secure tech stack for security assessment of distributed and decentralized applications, like DLTs/Blockchain and other decentralized frameworks like Hyperledger, Ethereum, Hadoop etc.
• Open-source security tool [S]: is a Be-Secure tech stack for various open source security tools like Burpsuite, Metasploit, etc.

Open Source Security Lab

The open source security lab forms the base for offering various open source security services to our customers. We perform open source and security compliance checks, automated evaluation and hardening of open source tech stacks, and seed open source security community projects and tools at the lab.

Figure 1: O31E Lab overview

*O31E is an abbreviation of "Open Source Security Lab as a Service". The term "O31E" is derived from its spelling, indicating the number of characters between the letters O and E

Organizations can leverage the open-source security program to

• Strengthen their open-source security posture
• Reduce time to evaluate open source projects
• Reduce the cost of open source security assessment
• Enhance agility in securing and implementing open source based applications
• Increase open source adoption without compromise on security
• Increase developer productivity and developers’ focus on security

Be-Secure community

The community is key to any open source project. The Be-Secure community is responsible for supporting and maintaining Be-Secure project tools and sandbox environments used for regular assessment of open source security stacks.

The open source security program also focuses on leveraging the open source community to develop and sustain the Be-Secure platform. The community will help identify new open source technology stacks, proactively flagging off a potential vulnerability in open source components and contributing to new security assessment environments. The community involvement leads to the assessment of the open source stack and triggers the generation of the patch to create trusted and verified open source software (TAVOSS).

Creating a partner network for open source security

As part of the open source security program, we intend to develop a network of trusted security partners to collaborate on defining security assessment models for open source technology stacks and open source security best practices. We will aggregate the service offerings from our security partners to offer cutting edge open source security capabilities at a platform scale.

Impact:

The open source security program helps drive awareness of open source security among organizations and open source community members. It also allows organizations access to standardized security assessment services that align with the open source security stacks. Today, many open source projects/components are consumed in a predefined manner without exploring the possibility of interoperability across open source technology components. The program helps to address this shortcoming by offering customized environments, pre-bundled with various open source projects. The program enables the open source developers to access the best practices/tools/projects and sandbox environments to secure open source projects. Utilization of Be-Secure open source technologies stack will drive the efficiency of open source security assessments.

Wipro’s open source security program expects to drive greater adoption of open source technologies, enhance awareness of open source and open source security, bring together cybersecurity expertise covering all domains of security, and enable continuous security assessment to address changing security needs of open source projects.

About the Authors

Vinod Panicker

Global Head Open source & Blockchain Security, Cybersecurity & Risk Services, Wipro

Vinod is a Distinguished Member of Technical Staff, Senior Member and Chief Architect. He has over 21 years of experience in software development and product architecture. Vinod currently leads the open source and blockchain security initiatives for the cybersecurity practice at Wipro. He is an expert in decentralized identity, blockchain security, building open source solutions, community-led tools development, open-source licensing, and re-engineering of products.

Sumod Rajan George, PMP

Sr. Project Manager, Cybersecurity and Risk services, Wipro

Sumod has over two decades of experience in software development, managing various projects and programs for business domains, such as retail, finance, healthcare, and transportation. He is currently part of the open source and blockchain security practice team with CRS, which focuses on security for open source and blockchain technology-based solutions.