We’re surrounded by news of data breaches and companies being compromised, and the existential threat of ransomware hangs over just about every organisation that uses computers.
One of the consequences is that we are hassled by an ever-increasing number of software updates, from phones and computers to vacuum cleaners and cars; download this, restart that, install the updates. Most of these devices and tools run open-source components: in a 2022 open source security and risk analysis report,
Are the security issues we are seeing related to the use of open-source software? Does proprietary software have any more inherent safety or security benefits?
The short answer is no. More and more security flaws are being found simply because there is more software being produced in the world than ever before, and more aspects of our lives are incorporating software features.
In fact, open-source software has been at the forefront of this technological transformation, giving anyone in the world the access and opportunity to develop functionality and products that would have been infeasible without free access to such resources.
Obscurity is not security
Programmers generally write their source code for two audiences. First, for the computers that are going to execute the code. Second, for other programmers to update, adapt and maintain the code at a later date. It is this second aspect which gives open-source software its broad appeal: everyone is able to see the code, understand it, and use it safely in the knowledge that they understand it.
For the computers though, the code is compiled into a machine-readable form that the CPU can process and execute directly. This machine language is much harder for real people to understand: though it is still possible to look at what the program is doing, it is significantly more difficult and time-consuming to do so, which leads to a popular belief that this makes it more secure.
However, obscurity is not security, and there are plenty of motivated individuals who like nothing better than the challenge of disassembling a compiled program to study its inner workings.
This topic is discussed in depth in episode 185 of the Ubuntu Security Podcast.
How do you consume open source securely?
Open-source software does have vulnerabilities, just the same as proprietary or closed-source software. Software vendors within both paradigms are equally beholden to keeping on top of the vulnerability reports, issue patches and fixes, and keeping their users safe. But there are some best practices you can apply to mitigate risks.
Synopsys discovered in their 2022 analysis that 85% of codebases contained open source that was more than four years out-of-date. Whether code is open or proprietary, the most crucial security measure is patching and updating that software, and the best way to do this is to consume the software from a trusted source which provides strong security maintenance commitments.
This enables you and your customers to remain safe from newly discovered threats. If and when vulnerabilities are discovered, you can rely on experts to fix them before attackers can exploit them.
Defence in depth
Another important aspect is to maintain defence in depth for your software platforms, so that if one particular component of the stack is vulnerable, an attacker can’t gain a foothold and spread their malfeasance any further. This can be achieved by hardening your systems, locking down the configuration options and removing unnecessary components that might aid a malicious actor.
Summary
All software systems have vulnerabilities and weaknesses, regardless of their development methodology, and the majority of cloud platforms rely on open-source security every day.
The biggest step to keep systems secure is to use software that is actively maintained and updated. The next step is to raise the bar for security by hardening your systems and preventing one small weakness turning into a full-blown nightmare.
