February is Free and Open Source Software month (FOSS). If you’ve ever used Mozilla Firefox web browser, Thunderbird email, PHP scripting, or Apache web server, then you’ve used open source programs. Open source software (OSS) is distributed with its source code available for modification by anyone, turning software development into a collaborative process.
Open source has become a bit of a buzzword in recent years, with opinions falling strongly in both the pro and con categories. Supporters tout OSS as an innovative concept that essentially crowd-sources software development for rapid evolution, bug identification and repair, readily available community support, and complete customization. Another boon, of course, is that it’s free and available to anyone, making for a more open network and faster download and development.
The flip side of the coin is that open source material also carries certain risks, especially for businesses. Part of this is simply at a level of inconvenience. Because OSS is generally created by and for computer professionals, it can be difficult for the average user to operate, and there is no free tech support of the sort often included in commercial software. The community approach also means that there’s no centralized management or development team to fix problems.
But OSS also comes with legitimate security dangers. By its very nature, open source lacks centralized security precautions or blocks, and the sheer volume of material discourages extensive security vetting. This makes it susceptible to exploitation, leaving businesses vulnerable to viruses and data leaks. All of this, proponents counter, is mediated by the fact that a widespread community exists to spot problems, make changes, and offer support. Recent data security scares such as the 2014 Heartbleed bug and 2017 Equifax breach have thrown harsh light on this rosy conviction, however, and there’s rising attention on management of open source security risks.
“I never liked the ‘with many eyeballs’ notion,” says Joshua Corman, CTO at the firm Sonatype. “Just saying there are ‘many eyeballs’ doesn’t mean that those eyeballs are motivated or qualified to look to find security vulnerabilities.”
In this vein, Black Duck Software recently reviewed 200 applications for its State of Open Source Security in Commercial Applications report. The findings were sobering: 67% of apps contained known open source security vulnerabilities, 39.5 percent of which were rated “severe.”
Furthermore, the reality is that almost all software — even commercial software — uses at least some open source material now.
“Due to the ubiquity of open source and the vital role it plays in virtually all types of software, understanding and managing its risks can no longer be optional,” says Andreas Kuehlmann, senior vice president and general manager of the Synopsys Software Integrity Group.
This isn’t to say that all data is doomed. While there’s little doubt that open source is here to stay, mitigating the risk of this approach is a matter of attention and diligence. According to Katie Moussouris, chief policy officer at the firm HackerOne and a former senior security strategist at Microsoft, it means rebooting our approach to software and digital data.
“We need to build a security mind-set,” she says. “This is important to every software project — open source or not.”
Several leaders in OSS development are already implementing security measures. Feature development, code audits, and careful inspection of software for vulnerabilities can drastically reduce the risks of open source use. Businesses can employ several methods to keep a careful eye on and protect their data. For example, MDL Technology offers patch management to quickly and efficiently repair vulnerabilities; network monitoring to keep constant vigilance and quickly locate issues; auditing to ensure compliance with regulations; and security, disaster recovery, and 24/7 support to deal with problems and repair breaches. If you’re concerned about the security of your company’s digital information, see the full list of MDL services, or give us a call at 816-781-3006.