Many businesses depend wholly or in part on open source software. But is it secure?
Open source software provides an interesting challenge for a number of businesses. Some hesitate to use it from a suspicion that it is less secure than its proprietary counterpart. Others assume that, with so many eyes reviewing the code, potential security vulnerabilities must be patched quickly.
However, the situation is more complicated than either of these. An over-reliance on proprietary software for closed-source code is just as dangerous as assuming your open-source has been critically examined by a team of knowledgeable engineers.
Security through obscurity isn’t enough to protect your system.
One concern about open source software is that, because the source code is freely available, it must be easier to exploit. The theory is that, because the code of proprietary software is hidden, it must be more secure. After all, even if there were hidden flaws in the code, hackers wouldn’t be able to exploit them if they couldn’t see them.
Unfortunately, this strategy, typically known as “security through obscurity,” has many flaws. In fact, the National Institute of Standards and Technology (NIST), which the US government and many other organizations rely on for security standards, explicitly advises against relying on security through obscurity to keep systems safe:
System security should not depend on the secrecy of the implementation or its components.
Proprietary software has its own vulnerabilities, and trusting it to remain secure simply because the source code is hidden is a serious compliance problem.
Hackers don’t need to see the source code to crack your security.
Your source code could be perfectly secure, and hackers would still be able to breach your system through human error, poorly-maintained software, or poorly-executed user permissions. But more importantly, they can use iDA Pro, a disassembler and debugger program, to translate a piece of proprietary software from its binary form to assembly code.
Essentially, this gives malicious actors the ability bypass the “hidden” nature of the source code and exploit both the vulnerabilities that haven’t been discovered, and those that haven’t yet been patched.
Many eyes on the code doesn’t guarantee timely review or patch updates.
One of the main arguments in favor of open source is that the transparency of the code means more users checking it for vulnerabilities. Unfortunately, this isn’t often the case. Not every piece of open code software has the dedicated user base to scrupulously check each line of code for errors, and even when a team does check it, it isn’t guaranteed they have the knowledge or expertise to identify and address all problems. And while there are vulnerability-scanning solutions available for open source software, that doesn’t mean anyone’s used them on a specific program.
That said, organizations can gain a reasonable understanding of a software’s security by tracking the me it take for a team to release a patch after a vulnerability is discovered. Generally speaking, a quick turn-around time on patch releases is an indication of an active security team, although users should also take into consideration the seriousness of the threat and the quality of the patch.
Open source software has security vulnerabilities. So does proprietary software.
At the end of the day, both open source and proprietary software have security vulnerabilities. It is the organization’s duty to conduct due diligence, find the best products for their uses, and keep their systems up to date. If a piece of proprietary software is the best solution under these circumstances, then that’s what the organization should use.
However, open source software has many advantages over proprietary solutions, even if security isn’t one. For one, it’s usually less expensive. While there may still be legal and licensing costs associated with some applications, they tend to be lower than their proprietary counterparts.
Furthermore, open source is increasingly being embraced by large players in the software industry, including Microsoft. This allows users to have the advantage of highly-developed software, while still providing them the ability to make small adaptions as necessary.
To stay safe, know where your true vulnerabilities lie. And have a backup plan.
Finally, your software is only one piece in your security puzzle. You must also maintain network security via other means:
- Use strong passwords and multi factor authentication. Using the same password across multiple accounts is a threat, and adding another authentication factor reduces risk.
- Maintain security updates on all software. The best patches in the world won’t help you if you haven’t installed them.
- Remove software that is no longer in use. Software you’re no longer using is more likely to have unresolved security updates, and only provides another possible hole for hackers to exploit.
- Control user access to secure data. In case of a security breach, user access control can limit the spread of the threat and keep your most confidential information secure.
- Encrypt data as necessary. Encryption in transit, at rest, and in use will protect sensitive information, even if it is intercepted.
- Deploy breach detection software. Monitoring suspicious activity can help you shut down a breach early, thereby reducing the chances it will compromise your business.
- Have a response protocol in place in case of breach detection. Anticipate that at some point your security will be breached, and have a plan in place for limiting damage.
If you need help keeping your security up to date, we can help. We specialize in NIST compliance, among others, and offer a free network assessment to help you get started.