Open Source Security Risks
There are a number of open source security risks you should be aware of before deciding whether or not to use open source code in applications or purchase open source software solutions.
There are security risks associated with any software, regardless of whether the source code is open and available to all, or kept secret. However, it is a commonly-held view that open source software is more secure than proprietary software; and while that is generally true, it does not mean that vulnerabilities can not exist in open source code. It is also possible to introduce vulnerabilities by improperly using open source code and failing to ensure that the code is updated.
In this article, we will explain some of the open source security risks that you should be aware of and suggest ways that you can reduce the risks to a low and acceptable level.
What is Open Source Software?
In software terminology, “open source” and “closed source” (or “proprietary”) distinguish code uploaded to a public repository from code that is kept private. Open source usually refers to code that has been made available via repositories such as GitHub to be inspected, used, and modified by anyone. An estimated 98% of organizations use open source components in applications, and upwards of 80% of code used in applications is open source.
Some organizations develop proprietary software and release some of the source code for public inspection to be totally transparent. In this case, the source code is not available for anyone to use – it has been made public to allow members of the open source community to check for security issues and to make sure the software is not performing any undesirable actions. This is especially important for security solutions.
Open Source Security Risks
There are several open source security risks that need to be assessed and managed if you decide to use open source code in applications or opt for an open source software solution.
Vulnerabilities are in the Public Domain
If the source code of software is put in the public domain, it can be accessed by anyone. While this is generally a good thing, bad actors can also access the code to look for vulnerabilities. Bad actor accessibility is often used as an argument against open source code. However, hackers do not need to wade through millions of lines of code looking for vulnerabilities to exploit, as there are far less time-consuming ways to attack organizations.
Nonetheless, one of the main open source security risks is that when vulnerabilities are identified, the vulnerabilities are publicized by the open source community. Vulnerabilities in open source projects are usually identified promptly; but, because they are made public, the potential exists for the vulnerabilities to be exploited before they are fixed. Vulnerabilities are also added to the National Vulnerability Database (NVD) where anyone can view the issues. It is therefore even more important to update open source components promptly than it is to patch proprietary software.
Open Source Code May Not Be Checked
One of the theoretical benefits of open source code is that many eyes are looking at the code and therefore security vulnerabilities will be identified faster. The theory is that a vendor of proprietary software may only have a couple of coders checking the closed source code, whereas there may be dozens or hundreds of people checking open source code.
While it is often true that open source code is reviewed more thoroughly, this is not always necessarily the case. Also, many people check source code to make sure that it performs the function they need it to. Bear in mind that many eyes looking at the code does not mean the people checking the source code are looking for security issues or that they are sufficiently skilled to identify security issues when they exist.
Open Source Code Needs to Be Checked and Updated
There may be no known vulnerabilities in open source code at the point when it is included in projects, but that does not mean vulnerabilities do not exist. Open source code is frequently updated and can quickly get out of date. If code is not regularly updated when updates are made available, security vulnerabilities may go unaddressed.
It is common for developers to incorporate open source components in applications and then never update the code. One study conducted by Veracode involved 13 million scans of 86,000 repositories and 301,000 unique libraries. It found that 79% of the time developers had not updated the code after including it in an application. Further, at least one security flaw was found in the majority of those libraries. Oftentimes, organizations fail to track where open source code has been used and are completely unaware of any components that need updating.
Is Open Source Software Secure?
While open source is widely believed to be more secure than proprietary software, open source security risks exist and need to be managed. Before any open source code or software is used, it should be carefully evaluated and checked for vulnerabilities.
An accurate and up-to-date inventory of all open source code should be maintained, and it is important to continually scan for vulnerabilities and ensure any that exist are addressed promptly. There are free and paid scanners that can be used to check for vulnerabilities. These tools automate scans for known vulnerabilities which will ensure vulnerabilities can be found and addressed more quickly.
If you are considering purchasing a software solution built on or including open source code, check to make sure there is a bug bounty program in place, an active community of users exists, and – ideally – that the finished software has undergone an independent security audit.
All organizations can benefit from open source components and software, but it is vital to implement practices to ensure open source security risks are properly managed.