Getting the most out of open source without sacrificing security
Open source has seen a great deal of momentum among mainframers, making collaboration easier and providing greater transparency. But for all of its benefits, open source is not without risks. By its very nature, open-source code is accessible to whoever wants to see it—including potential attackers. That means an attacker looking to crack into an organization’s systems could simply examine the readily available open-source code and pick out vulnerabilities to exploit.
Overall, open source has incredible potential to help transform the way mainframe applications are managed, but it comes with risks that need to be properly addressed. So, where do businesses and IT leaders stand on the use of open source in the context of mainframe security? What are their concerns? And what’s being done to secure the mainframe as open source becomes an increasingly common tool for developers?
Rocket Software recently conducted a survey of 250 global IT directors and vice presidents in companies with more than 1,000 employees to find out. Let’s take a closer look at how these respondents view open source and mainframe security.
Open-source security on the mainframe
Open-source software has moved far beyond being a buzzword. Today, it’s a critical tool for organizations as they push to modernize in place with the mainframe. The collaborative element of open-source development means that the broader community is typically able to respond quickly to any issues, applying patches and fixes to critical vulnerabilities and exposures (CVE). But in a mainframe setting where IT leaders often deal with ported instances of open-source tools and languages—like a ported instance of Git operating on z/OS—those fixes and updates may not always make their way into the mainframe.
That means the open-source components embedded within mainframe applications, if not managed properly, could hold serious gaps in security and integrity. Among other mainframe security challenges with open source, there can also be compliance concerns that arise if an organization were to incorporate unsupported open-source software into its mainframe applications.
Keeping open source secure on the mainframe
So, we know the concerns that come along with the use of open-source software. But are the businesses and IT teams that lean on these tools prepared to handle those risks and respond accordingly? The good news is, based on the findings of Rocket Software’s survey, The State of Mainframe Security, it’s clear that the security of open source used on the mainframe is something organizations are taking very seriously.
Organizations understand just how important proactivity is to ensuring security, as 62% of survey respondents reported that their organizations routinely conduct vulnerability assessments and security audits. And another 58% of respondents said they engage in continuous monitoring and updating of open source to address security patches promptly. IT leadership in these businesses also understand the importance of preparing staff, too. Among respondents, 54% said they were training developers on best practices for secure coding and popper usage of open-source components. But respondents aren’t just relying on proactive measures; many reported having strong processes in place for managing the risks associated with open-source software on the mainframe. Eighty percent said they have a well-defined process for managing and monitoring the usage of open-source software in mainframe environments.
The state of open source on the mainframe
At a time when cyber threats are rapidly evolving, the ability of the open-source community to address vulnerabilities and put out updates and fixes has become critical. Fortunately, among survey respondents, 78% of organizations reported being highly confident in the open-source community’s ability to do just that and act quickly. Even as organizations get a handle on the way open-source software impacts their mainframe applications and security, it’s crucial that they work with a trusted source that can ensure critical updates and patches are ported to z/OS systems.
Learn more about how organizations are balancing the growing use of open-source software with mainframe security.