Open Source is Safe, But Not Risk Free
Open-source software can accelerate development schedules, cut licensing costs and leverage a robust community of international developers. Still, those strengths can also be exploited as security weaknesses.
For agencies trying to stretch their IT investment, the question isn’t simply to use or not to use Open Source. Rather, it’s how to do so safely and securely.
Scott Gregory, deputy director of the Office of Digital Innovation for the State of California’s Department of Technology, said Open Source software benefits from its large user communities, which have a shared interest in quickly fixing vulnerabilities. He’s fond of the saying “Given enough eyeballs, all bugs are shallow,” an axiom known as Linus’s Law and named for Linus Torvalds, the creator of the Open-Source Linux operating system.
More formally, Linus’s Law states that getting code in front of more developers and beta testers ensures that almost every problem will be characterized quickly and through crowd sourcing, a simple fix will follow. Gregory says the concept works, if you choose an Open Source with a strong and vibrant user base.
“We’re kind of looking for that sweet spot, those that have been tried and true and have gained notoriety as a very stable platform,” Gregory said.
Still, it takes more than a crowd to secure platforms, said Mike Pittenger, vice president of security strategy at Black Duck Software, a Burlington, Mass., provider of specialized tools that secure and manage Open Source software. A Black Duck audit of vulnerabilities in Open Source solutions found that on average, most were more than five years old, yet still remained embedded in some solutions.
“The issue is not that these vulnerabilities aren’t identified by security researchers,” Pittenger said. “Overwhelmingly, individuals analyzing Open Source projects are the source of these disclosures.”
Rather, the problem was in instituting necessary changes to close up the vulnerabilities. Reasons for delays included:
- The number of discrete open source components in commercial applications turned out to be twice what code owners thought were – averaging about 100. That meant those in charge of tracking and fixing security problems were unaware of some modules used in their organizations’ software.
- Open Source software doesn’t have a company behind it that takes responsibility for pushing out fixes like proprietary software does. Instead, Open Source users must discover these updates, pull them into their systems and apply their own patches or updates.
- The pace of published vulnerabilities continues to increase, as do instructions for how to exploit them that are posted both on the public Internet as well as on the dark web.
“One of the ways Open Source can move so quickly from lab to production is by bypassing critical bottlenecks like security reviews, which are known to take a long time.” said Andy Ma, senior software architect for General Dynamics Information Technology, a provider of software solutions for the federal government. “Open Source can accelerate deployment, but developers and system owners still need to pay attention to security issues, since they are responsible for making sure that no vulnerabilities exist.”
With the growing popularity of Open Source, that poses a risk: Bad actors face a target-rich environment, making it relatively easy to test a known exploit of a commonly used Open Source component and against IT addresses to see which might be vulnerable.
Indeed, Pittenger predicts a 20 percent rise in the number of cyber-attacks on Open Source components over the next year. Yet that doesn’t mean Open Source is any more vulnerable than proprietary software, Pitenger said. All software has vulnerabilities. Close monitoring and rapid updates are just part of the deal when organizations adopt Open Source, as is sharing with other users.
“We should continue to encourage public and private sector organizations to contribute back to Open Source projects, [both] more research by individuals that uncover complex bugs and the responsible disclosure of vulnerabilities,” Pittenger said. “This will help make Open Source more secure, and better leverage the ‘many eyes’ theory by getting more ‘security eyes’ on the code.”
The Mozilla Open Source Support program does just that. Launched in the wake of such major security bugs as Heartbleed and Shellshock, which affected core pieces of popular Open Source software, the program aims to increase “security in the Open Source ecosystem” by:
- Contracting to pay professional security firms to audit other projects’ code
- Working with the project maintainers to support and implement fixes and manage disclosure
- Investing in independent verification, to ensure that published fixes do in fact work
The organization recently examined five Open Source components, identifying one critical, one high- and 12 medium-rated vulnerabilities.
Of course, it falls to individual system owners to apply those fixes to their own implementations.
In New York, the New York Office of Information Technology Services (ITS) standardized its WebNY project on Drupal, a popular Open Source content management system. To ensure security, ITS maintains a continuous review of security patching and leverages work done elsewhere that identifies potential risks and fixes.
At the national level, Ann Duncan, former chief information officer at the U.S. Environmental Protection Agency, agreed that more eyes and a bigger community should help ensure security, saying that popularity is important when selecting Open Source code.
“If you stay with an Open Source tool in the top one to 5 percent of solutions, which means the largest number of users and contributors, then you’re likely to be pretty safe,” Duncan said, “because there are lots of eyes on that technology and it’s used a whole lot.”
Large user bases usually spell faster updates, suggested Eric Mill, a senior advisor on technology for the GSA’s Technology Transformation Service.
“There are all sorts of patches being applied throughout the day as the community does its work,” Mill said. “That feels good from a security perspective, especially given that patch management and update management is a huge security problem in the enterprise.”