Open source has seen a lot of momentum among mainframers, making collaboration easier and creating more transparency. But despite all its benefits, open source is not without risks. By its nature, open source code is accessible to anyone who wants to see it, including potential attackers. This means that an attacker looking to compromise an organization’s systems can simply examine the readily available open source code and pick out vulnerabilities to exploit.
Overall, open source has incredible potential to help transform the way mainframe applications are managed, but it comes with risks that must be properly addressed. So, how do businesses and IT leaders feel about using open source in the context of mainframe security? What are their concerns? And what is being done to secure the mainframe as open source becomes an increasingly common tool for developers?
Rocket Software recently conducted a survey of 250 global IT directors and vice presidents in companies with more than 1,000 employees to find out. Let’s take a closer look at how these respondents view open source and mainframe security.
Open-source security on the mainframe
Open source software has gone far beyond a buzzword. Today it is a crucial tool for organizations trying to modernize using the mainframe. The collaborative element of open source development means that the wider community can usually respond quickly to any issues, applying patches and fixes to critical vulnerabilities and exposures (CVE). But in a mainframe environment where IT leaders often deal with ported instances of open-source tools and languages – such as a ported instance of Git running on z/OS – those fixes and updates won’t always make their way to the mainframe.
This means that the open source components embedded in mainframe applications, if not properly managed, can contain serious security and integrity holes. In addition to other open source mainframe security challenges, compliance issues can also arise if an organization were to incorporate unsupported open source software into its mainframe applications.
Keeping open source safe on the mainframe
So we know the concerns associated with using open source software. But are the companies and IT teams that rely on these tools prepared to deal with these risks and respond accordingly? The good news is that, based on the findings of Rocket Software’s research, The State of Mainframe Security, it is clear that the security of open source used on the mainframe is something that organizations take very seriously.
Organizations understand the importance of proactiveness in ensuring security, as 62% of survey respondents reported that their organizations routinely conduct vulnerability assessments and security audits. And another 58% of respondents said they engage in ongoing open source monitoring and updates to address security patches quickly. IT leadership in these companies also understands the importance of workforce preparation. Of respondents, 54% said they train developers on best practices for secure coding and popper use of open source components. But respondents don’t just rely on proactive measures; Many reported that strong processes have been put in place to manage the risks associated with open source software on the mainframe. Eighty percent say they have a well-defined process for managing and monitoring the use of open source software in mainframe environments.
The status of open source on the mainframe
At a time when cyber threats are rapidly evolving, the open source community’s ability to address vulnerabilities and release updates and fixes has become critical. Fortunately, among respondents, 78% of respondents said they have a lot of confidence in the open source community’s ability to do just that and act quickly. Even as organizations come to grips with how open source software impacts their mainframe applications and security, it is critical that they work with a trusted source that can ensure critical updates and patches are ported to z/OS systems.
Learn more about how organizations are balancing the increasing use of open source software with mainframe security.