The Security Ledger Podcast

The Security Ledger Podcast


Episode 176: Security Alarms in Census II Open Source Audit. Also: The New Face of Insider Threats with Code42

February 24, 2020

In this week’s episode of The Security Ledger Podcast, sponsored* by Code42, we do a deep dive on the security implications of the recently released Census II audit of open source software. We’re joined in our first segment by Frank Nagle of Harvard University’s Laboratory for Innovation Science and Mike Dolan, the Vice President of Strategic Programs at The Linux Foundation. In our second segment: tools like Slack and Microsoft Teams are revolutionizing how workers collaborate and communicate, but they also make it easier than ever for employees or malicious insiders to abscond with sensitive information. Joe Payne the CEO of Code42 joins us to talk about how the challenge of data breach prevention is changing.

But first: software is eating the world, as the saying goes, and these days much of that munching is happening courtesy of free and open source software. Since the open source software movement first got going in the early 1980 with the GNU Project, the use of open source has grown exponentially. Today, open source libraries and other components can be found in virtually every substantial software application in use.

Census II exposes OSS Security Debt

But the rapid and friction-less adoption of open source isn’t without a cost. Namely: security debt. While the popular wisdom is that the wisdom and energy of the crowd is sufficient to keep open source software components secure and stable, history has indicated otherwise, as bugs like Heartbleed in the ubiquitous OpenSSL software opened the eyes of the security community to the fact that serious bugs and exploitable holes may lurk in other, widely used open source components. But surveying such a massive repository of code is a Herculean task. Better to know which open source components are the most widely used and shared, and which pose the greatest security risks.

That’s why the folks at Harvard University’s Laboratory for Innovation Science and The Linux Foundation teamed up on the second open source Census and the first ever census to identify and measure how widely open source software is deployed within applications by private and public organizations. The goal was to draw a more complete picture of FOSS usage including through analyzing usage data provided by partner Software Composition Analysis (SCA) companies.

Their report, dubbed “Vulnerabilities in the Core,” and recommendations it offers are a unique insight into the security challenges facing the open source community.

To discuss their work, we invited Frank Nagle of Harvard Business School and Mike Dolan of the Vice President of Strategic Programs at The Linux Foundation in to talk about the Census II findings and what they mean for the larger project of securing open source code.

The New Face(s) of Insider Threat

Back in the Watergate era, stealing sensitive data was a cloak and dagger affair. The burglars hired to obtain sensitive strategy documents from the Democratic National Committee needed physical access to offices and file cabinets and went equipped with flash lights, lock picks, and other implements to do the job.