Is open source safe?

Tim Mackey, the principal security strategist at the Synopsys Cybersecurity Research Centre, answers a question troubling many IT specialists: is open source safe?
Tim Mackey, the principal security strategist at the Synopsys Cybersecurity Research Centre, answers a question troubling many IT specialists: is open source safe?

As new vulnerabilities are disclosed against open source components and new attacks are launched against repositories of open source components, and even against open source development methodologies, it’s important to ask the question: just how safe are open source components?

In order to answer this question, we must first define some parameters. This is crucial since open source technologies power modern software development. In fact, there are very few software applications and services that don’t have at least some open source elements in them.

Open source components range from the foundational, such as services that keep the clocks of servers, mobile phones and computers in sync or encryption libraries used to secure internet traffic, through various software development kits enabling rapid innovation in IoT ending with simple utilities designed to make automation of common tasks like software deployment easier. All of these millions of open source projects have one thing in common – the source code is freely downloadable and anyone can create a derivative of the main project without approval from the project owners.

It is this freedom that powers innovation and represents risk. After all, if anyone can create a derivative of a project, then that must mean that attackers can spoof any project at any time. The end point of that argument is open source must be “unsafe,” deficient or insecure in some way.

The counterpoint being that commercial software is somehow safer due to tighter controls or greater resources. What those making this argument don’t realize is that commercial software is on average 70% open source, but more importantly, all software has bugs and no software development process is perfect.

Furthering this point, of the 1,500+ codebases scanned in the 2021 Open Source Security & Risk Analysis (OSSRA) report, 98% contained open source. Additionally, of those scanned, 84% of codebases contained at least one vulnerability—an 9% increase from the previous years’ findings.

Since all software has bugs, bugs can be exploited and even the most secure software can be deployed in an insecure manner. So why does the safety and security of open source keep coming up? Well, if open source components are good enough for commercial software vendors to use, that must mean something? And, if open source technologies are good enough for the largest cloud providers, that must mean something too, right? What do they know that those asking safety and security questions don’t?

It turns out that the core problem is one of familiarity and, well, blame. There is no vendor known as “open source.” This means in part that when someone wants to procure an open source solution, there is no contract to sign and by extension nothing for corporate procurement teams to do. Since corporate procurement teams are often the gatekeepers for compliance within business, this then implies that anyone can bypass compliance, and that’s a bad thing. Just imagine the chaos if everyone could freely download the software they required without IT or procurement being involved.

While that last sentence reads as tongue-in-cheek, the reality is that any software that enters an organization without IT involvement isn’t likely to be patched. And patch management in open source is very different than with commercial software. With no single origin point for an open source component, it’s important to keep track of where each component or application was downloaded from. That’s where any patches or updates need to come from.

Since we all know how important patching is for security, if there are any unpatched open source components in your business, then that’s a risk, particularly given the reality that open source software is freely downloadable without IT involvement.

Once you know the origin of the open source component, not only can you create a patch strategy for it (hint: updates work differently than with commercial software), but you can also assess the safety of the component. Component safety in this context refers to how the component is actually developed.

Common questions to ask at this point include:

  • Am I at a true origin or on a fork? True origins represent the main development effort for the component, and a fork is any branch of the component. Unless you have a really good reason to use a fork, you should always be using the true origin of the component, also known as “upstream.”
  • Does the component have a well-defined security policy? Only the most popular open source projects have such a policy, and the policy will describe how security incidents are managed.
  • Is there a well-defined contribution model? Open source projects thrive when there are active contributors, but if there isn’t a defined contribution model, there likely isn’t a set of criteria for what a high-quality contribution looks like. Some contribution guidelines explicitly set testing requirements for any contribution.
  • Who are the top contributors? All software has contributors, but not every contributor understands the entire source code. If the top contributors are new to the project, that could indicate a shift in development priorities or that long time contributors have moved away from the project.

While there is no real difference in the safety of open source versus commercial software, the reality is that there are multiple safety standards within different industries and all software, regardless of origin, will need to be vetted against applicable standards.

READ MORE:

For usage where safety standards don’t exist, the question of safety is really one of management. Are your teams able to guarantee that they can patch open source components and are vetting the changes in any updates? If you don’t have a good open source management process in place, the safety of individual components shouldn’t be a top priority.

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

Amber Donovan-Stevens

Amber is a Content Editor at Top Business Tech

Choose an AI solution to transform beyond technology

Kit Cox • 09th December 2024

The first step is knowing exactly what your business wants to achieve with AI; think faster, smarter and more efficient. Once you know what you are working towards, you can start looking for a solution that can help you make it a reality. AI integration can feel like a daunting task at the beginning, so...

A Roadmap to Security and Privacy Compliance

John Lynch Director of Kiteworks • 04th December 2024

Only by understanding the current regulatory environment and implementing robust data protection measures, can organisations enhance their security posture, ensure compliance, and build resilience against the latest cyber threats. This article provides a comprehensive roadmap of how to do it.

Data-Sharing Done Right: Finding the Best Business Approach

Bart Koek • 20th November 2024

To ensure data is not only available, but also accessible to those that need it, businesses recognise that it is vital to focus on collecting, sorting and governing all the data in their organisation. But what happens when data also needs to be accessed and shared across the business? That is where organisations discover a...

Nova: The Ultimate AI-Powered Martech Solution for Boosting Sales, Marketing...

Erin Lanahan • 19th November 2024

Discover how Nova, the AI-powered engine behind Launched, revolutionises Martech by automating sales and marketing tasks, enhancing personalisation, and delivering unmatched ROI. With advanced intent data integration, revenue attribution, and real-time insights, Nova empowers businesses to scale, streamline operations, and outperform competitors like 6Sense and 11x.ai. Experience the future of Martech with Nova’s transformative AI...

How E-commerce Marketers Can Win Black Friday

Sue Azari • 11th November 2024

As new global eCommerce players expand their influence across both European and US markets, traditional brands are navigating a rapidly shifting landscape. These fast-growing Asian platforms have gained traction by offering ultra-low prices, rapid product turnarounds, heavy investment in paid user acquisition, and leveraging viral social media trends to create demand almost in real-time. This...

Why microgrids are big news

Craig Tropea • 31st October 2024

As the world continues its march towards a greener future, businesses, communities, and individuals alike are all increasingly turning towards renewable energy sources to power their operations. What is most interesting, though, is how many of them are taking the pro-active position of researching, selecting, and implementing their preferred solutions without the assistance of traditional...

Is automation the silver bullet for customer retention?

Carter Busse • 22nd October 2024

CX innovation has accelerated rapidly since 2020, as business and consumer expectations evolved dramatically during the Covid-19 pandemic. Now, finding the best way to engage and respond to customers has become a top business priority and a key business challenge. Not only do customers expect the highest standard, but companies are prioritising superb CX to...