Morgan Stanley
  • Innovation LAb
  • Oct 13, 2017

What You Don’t Know About Open Source Could Really Hurt You

To keep up with digital disruption, more companies are using free code, making it critical to monitor for—and patch—weak links that hackers might exploit.

Ian Folau admits it was hard at first to make the story of his startup, Gitlinks, an attention-grabber. “I’d talk about open-source code and how it’s going to be the next big cybersecurity threat, and people would just tell me it wasn’t a priority,” he says. “But now, I think they’ll decide it’s time to prioritize.”

Folau is alluding to a proliferation of cybersecurity breaches involving hackers exploiting vulnerabilities in free “open-source” code, which many companies use for website applications. While acknowledging that no silver bullet exists to protect against hackers, companies like Gitlinks, which develop open-source monitoring systems, can help corporations keep tabs on what open-source code developers are downloading, and alert users when vulnerabilities or legal compliance issues arise.

“It’s estimated that only about 10% of the Fortune 100 companies monitor their use of open-source code,” says Folau, adding that, very often, their monitoring systems may be manual and open to human error. “If you don’t know whether you have open-source code known to be vulnerable to attack, how can you fix it?”

Weak Links

For Folau, a West Point graduate, cybersecurity isn’t just about safeguarding companies and their customers. After spending nine years as a U.S. army officer specializing in threat analysis and information security, he saw that, without state-of-the-art cybersecurity systems, corporate America could become the weak link in U.S. efforts to fend off terrorist attacks. 

When he left the army, Folau enrolled in graduate studies at Cornell Tech, where he met computer scientist Nwamaka Imasogie, who has an enterprise software development background. They co-founded Gitlinks, which is now among the first cohort of startups participating in Morgan Stanley’s Multicultural Innovation Lab

“About 80% to 90% of all software is underpinned by open-source code,” says Folau. “There’s something like a million different open-source projects on the internet, and any one piece of vulnerable code could be used by hundreds of companies. Sometimes the exploits to these vulnerabilities are packaged into an ‘exploit kit’ found on the dark web.”

No Turning Back

Monitoring systems add to an already large cache of cybersecurity tools that companies deploy to protect themselves. But the bottom line, says Folau, is that there is no turning back the clock on using open source.

“Everyone is scrambling to keep up with technology disruption in their industry, and the fastest way to develop software is using what’s already been built and available for free online,” he says.

To be sure, monitoring and addressing open-source vulnerabilities in their systems is just the start for companies trying to stay ahead of hackers. The bigger problem is remediating those issues in time, without creating additional issues in the complex infrastructure of enterprise software, where a change to even one line of code can have a ripple effect.

“The use of open-source is growing so quickly, that many companies can’t move fast enough to patch a vulnerability, Folau says, even when they already know it exists.”

It might have been a rough start for Folau to properly convey how GitLinks solved a problem to non-technologists, but he says the Multicultural Innovation Lab has helped him refine his pitch, so that the importance of monitoring the use of open source resonates with more than just the tech savvy.

Ultimately, says Folau, “I’m excited to be a part of the solution, helping enterprises use open-source code safely and efficiently to develop their own businesses.”

Get Your Career Started At Morgan Stanley