Security Considerations When Using Open Source Software

Defining "Open Source": “Open source” refers to an approach for creating computer programs using publicly available code that has been licensed by the original authors so that anyone can see it, modify it, and distribute new versions of it. Software developers create open-source code through voluntary collaboration. Developers can extend open-source code to create new standalone products or to add new functionality to existing software products.

Examples of open-source products include Google Chrome and Firefox web browsers. Because OSS is publicly available, anyone can make changes to the existing open-source code. This makes it easy for users to customize OSS to suit their business needs by adding, removing, or modifying capabilities.

History of Open-Source Software: Programmers and developers shared software in the 1950s and 1960s to learn from each other and evolve the field of computing. Unix, for example, provides users with access to the operating system source code. During the 1970s and 1980s, the open-source notion was pushed aside by the commercialization of software.

Despite this, academics often collaborated on software development. Among the early examples are Donald Knuth in 1979 with the TeX typesetting system and Richard Stallman in 1983 with the GNU operating system. As a result, they coined the term "open source," which was quickly adopted by Bruce Perens, Tim O'Reilly, Linus Torvalds, and others. To promote open-source principles and encourage the use of the new term, the Open Source Initiative was founded in February 1998. Despite the Open Source Initiative's best efforts to spread the word and evangelize its principles, commercial software vendors were increasingly threatened by the concept of freely distributed software and universal access to source code.

Disadvantages: Overall, open-source software can offer many benefits, including cost savings, flexibility, collaboration, security, and innovation, but there are a few potential disadvantages:

• Limited Support: While a large community of volunteers may be willing to help troubleshoot problems, open-source software may not have the same level of support as proprietary software.

• Lack of a Single Point of Contact: With proprietary software, users typically have a single vendor or provider to contact for support and assistance. With open-source software, it can be more challenging to identify the appropriate point of contact for support.

• Compatibility Issues: While open-source software is often designed to be compatible with many systems, there may be compatibility issues with specific hardware or software.

• Limited Functionality: Some open-source software may not have the same level of functionality as proprietary software, especially in niche or specialized areas.

• Lack of Professional Development: While a large community of volunteers may contribute to open-source projects, fewer professional developers may work on the software, which can impact its development and maintenance.

• Potential Legal Issues: It is important for users of open-source software to be familiar with the specific license terms associated with the software and to ensure that they comply with those terms to avoid legal issues.

Risks of Using OSS: Open-source software, while offering numerous benefits, also presents risks, primarily concerning security vulnerabilities, intellectual property issues, and potential quality inconsistencies due to the public nature of the code and reliance on community contributions. Before you acquire and implement OSS, it is essential that you conduct assurance activities. This will allow you to continue to protect the security of your organization’s networks, systems, and information.

Not all OSS carry the same level of risk. In fact, many commercial IT security products have open-source components worked into their code. For example, companies that manufacture IT security products with cryptographic functionality use OpenSSL, an open-source cryptographic library.

Excessive Access:

• Open access means the code is available to everyone, including cyber threat actors who can manipulate it for malicious purposes.

• Threat actors can exploit OSS to gain unauthorized access to your networks and sensitive information.

• The public nature of OSS means that any vulnerabilities discovered are also publicly known, giving malicious actors the opportunity to exploit these weaknesses before they are patched.

Lack of Verification:

• There is no guarantee that qualified experts have conducted thorough testing and quality assurance during OSS development.

• This lack of verification can leave your IT infrastructure vulnerable to security breaches.

Lack of Support:

• Most OSS relies on community support for maintenance, reporting, and patching vulnerabilities.

• Without dedicated support, updates and security patches may be delayed or unavailable, increasing the risk of exploitation by cyber threat actors.

OSS Development Lifecycle: OSS development values collaboration and transparency. It includes collecting requirements, designing, implementing, testing, releasing, and maintaining. Security may not be a priority, leading to vulnerabilities.

Improving OSS Security: Secure-by-design initiatives encourage building security into OSS. Using memory-safe languages like Rust and Python can reduce vulnerabilities.

Protecting Your Organization: Before acquiring new software, determine its risk tolerance level. When your risk tolerance is clearly identified, you can narrow down software choices and pick the products that meet your business needs and security requirements.

Before Installing New Software: Your organization needs procedures to detect and mitigate vulnerabilities. These can include:

• Proactive software security testing

• Software update vetting

• Removal of deprecated protocols

• Security hardening

• Incident response monitoring