A Guide to Open-Source Software Security Risks & Best Practices
Community-developed software applications can lower costs and increase productivity within any business. However, is open-source software secure?
A few years back, when the major data breach of credit bureau Equifax occurred, there was a lot of discussion about open-source code and how secure it is. Fast forward to today, and it’s widely acknowledged that open-source code poses extensive benefits for consumers and businesses alike.
Using community-developed software speeds up development times and reduced the costs of commercial software by removing the need to build entire applications from scratch. But as open-source becomes increasingly popular, the key question remains: Is open-source software secure?
To help you understand open-source better, the team at ESET has written a guide on open-source software security risks and best practice tips.
What is open-source software?
Open-source software is software whose source code - the code with which computer programmers create software applications - is freely available (usually on the Internet), meaning anyone can inspect, modify, and enhance it.
Open-source software tends to fall under a variety of licensing terms (more than 1400 different open-source license have been counted), but these generally have two things in common: The software can be used without paying a license fee, and anyone can modify or improve the program by adding features to it or by fixing code that isn’t running correctly. However, open-source software isn’t always free of charge - programmers can charge money for the open-source software they create, or for helping others install, use, or troubleshoot the software.
The most well-known example is GNU/Linux, but there are thousands of other open-source software products created for a seemingly endless range of functions and needs. If you’re not a developer, you’ll likely be surprised at just how much of your company’s software depends on community-driven components.
Open-source vs. proprietary software
While open-source software is publicly accessible, proprietary or “closed source” software has highly guarded, private source code and is usually commercial software. Source code for proprietary software is generally only accessible to the person, or staff of the company that created it.
To use proprietary software, you must enter into an agreement - often by signing a license, or by accepting an End User License Agreement (EULA) displayed during installation or before the first use of the software. EULAs generally place extensive limitations on what the user can do with the software, including prohibiting reverse engineering or modifying the code. Microsoft Windows, macOS, Adobe Flash Player, Photoshop, and Microsoft Office are examples of popular proprietary software.
Some people consider open-source software more secure than proprietary software, for a number of reasons (including the “many eyes” myth). As well as providing cost, flexibility, and speed advantages, community-produced projects are generally more transparent about vulnerabilities than proprietary software developers. Having a larger number of people working on an open-source project might not mean a better chance of finding and fixing vulnerabilities or bugs proactively, but should see discovered bugs corrected more quickly.
You can also review the code yourself, and then either stay with the current version, release your own, or even disable any functions you think might be insecure. With closed source software, you simply have to trust that the developer knows what they’re doing and you are entirely in the developer’s hands as to the timing of updates for security vulnerabilities.
Open-source software and data privacy
However, there are still a number of security concerns when it comes to open-source software. The short release cycles of some non-proprietary projects can make it difficult to check and maintain the security of every new product - plus not all developers are security experts.
For example, OpenSSL is an encryption library used for handling a very security-critical function by a great deal of internet-connected software, including that running some of the most popular web, email and messaging services. As it is open-source software, presumably its code had been very carefully checked, often, and by many experts. That did not prevent it shipping for approximately two years with a critical memory leak vulnerability that has been named Heartbleed.
Similarly, in 2014 the popular Bash shell – the default command processor on many Linux distributions – was found to suffer from an arbitrary command execution vulnerability that could be remotely exploited through server-side CGI scripts on web servers, and many other more arcane mechanisms. Named Shellshock, post mortem analysis showed that the basis for this vulnerability was functionality added to Bash about 25 years earlier.
The truth is, any code, whether closed source or open-source, will likely have some security vulnerabilities. These may be due to all manner of causes, from correctly implementing a flawed design to deliberately planted backdoors or other weaknesses. Further, even proper implementations of good security designs may be flawed in their deployment due to such things as incorrect configuration, failure to follow security guidelines, the use of weak passwords, and so on.
Ultimately, it’s down to the open-source developer to make their code secure, but if you use that software, you can take extra steps to protect yourself.
How to identify secure open-source software
To investigate the suitability of a software solution, you need to evaluate the security and reputation of each piece of software you’re interested in using. An excellent place to start is to review its version history and look at previous security issues for red flags.
Particularly for software providing cryptographic services, check if there have been independent audits of the product’s design and implementation. Security, and especially cryptography, is hard so having independent reviews by bona fide experts in the relevant fields is especially important for security-sensitive code. Even word of mouth from a trusted colleague can give you a good idea of what’s reliable. Additionally, find out what software your partners, competitors, and established organisations in your field are using.
It may be that the best option for you is proprietary software or even a mix of closed and open-source tools. The critical thing is that you make your decision based on thorough research.
How to secure your data when downloading open-source software
The key to keeping your data secure is to monitor for new threats continuously. Are you using a current version of the open-source project? Is it the most secure version? Is the code actively maintained by an expert, trustworthy community?
It’s vital to stay up to date - either by checking for insecurities found and logged in online sources, or through automated security tools. Automation is usually the best option for most companies, as manually checking your open-source use will require significant investments of time, resources, and budget.
Whether you decide to use proprietary software, open-source, or a mixture of both, it’s vital to maintain a robust security posture that monitors for insecurities and protects against data breach attempts.
To find an antivirus solution that’s right for you, get in contact with the team at ESET today!