What are the security risks associated with open source software?
There is a general belief that an open source carries with it a lot of security risks since it is open to multiple users who may or may not be qualified to critique the original code and add value to the program. However, the converse is held equally true with big names like Amazon and Google successfully implementing open source in their software stack. A thorough analysis of the risks associated with open source and ways to circumvent them is the need of the hour if companies want to hold their ground in the age of Cloud and virtualization.
As the name suggests, open source software is a computer program whose source code is available free of cost to general users for use or modification. The pros of open source software are multiple:
- It allows the user to function independently of a vendor and thereby free of restrictive modes of a system.
- The chances of bug detection and removal are far higher since it is open to users who could review, modify and improve upon the original leading to a better end-product.
- It frees up significant investment costs for the company as opposed to paying a premium for propriety software.
- Since the software allows for changes, the program can be effectively customized as per specific requirements.
Despite advantages, companies looking to implement open source software as a part of their software stack have to deal with certain potential disadvantages, the foremost being that of security risks. Since the code is open for general use and modification, there is a high possibility of the software getting inflicted with malware posing a high security threat to the company’s environment.
Why is open source a security threat?
The absence of scrutiny: Proprietary software undergoes a standard evaluation procedure before a company decides to invest in it. The requirement in itself is evaluated carefully followed by weighing the pros and cons of the product. The effectiveness of the product so also the features are analyzed compared with other available options in the market. Since open source software is bereft of such measures, the security risks are high with even unforeseen losses like the loss of credibility and business to the company.
Lack of qualified and motivated users: Only because the program is open for use and modifications does not necessarily signify an improved program free from bugs. The users working on the code have to be qualified enough to detect vulnerability and plug them effectively. Also, why would a developer be motivated enough to make constructive changes unless he is to derive specific benefits?
Lack of accountability and support: Open source software relies on the support of users rather than a vendor and dedicated support group. The roles and responsibilities with developing such programs are ambiguous. For critical services, this is a huge drawback as there is no accountability.
Lack of reliable sources: If the company fails to do the necessary background checks – a likely scenario in case of open software-before installing a program, there is a high chance of letting the doors open to hackers. The reason is the presence of malware that can attract users with interesting features but once downloaded in the absence of security policies, these can corrupt the system.
Does this mean open source is not enterprise-ready?
On the one hand, lack of commercial support for open source software and relying on ad-hoc help to plug the bugs in the program has made many companies wary of implementing open source, swaying the market in favor of proprietary software vendors. On the other hand are big names like Amazon and Google who use open source software, debunking the myth of security barriers.
According to a recent survey by Black Duck Software, there are more than one million unique open source projects today, with a projected growth of around two million by 2014. Open source is growing in the enterprise.
Innovators in open source are popular names too like the Red Hat and Netflix. Their success is a testimony to the belief that the security threats associated with open source need not be a roadblock. Experts opine that due to the fear of losing credibility and also because the code is also open to critique from peer developers in the open source community work with more diligence and responsibility to ensure that their code is error-free.
Companies who wish to implement open source as a part of their software stack need to follow certain rules to quell security risks.
A strong security policy: Building a strong and secure framework for security is one of the foremost rules that need to be factored in. The security policy has to be clear regarding the rules of installation of open source software and stringent measures have to be in place to safeguard the policy. The members need to be made aware of the rules and regulations in a systematic manner and any deviation should be reported and documented.
A thorough evaluation procedure: Barring a few, most open source products do not carry a CC (Common Criteria) certification. Hence, a thorough evaluation of open source products needs to be carried out by the company. The security levels need to be examined and verified whether they fall within the framework of the company’s security policy. The source code needs to be analyzed by either in-house experts or source code scanners for flaws and vulnerability issues such as buffer overflows, racing conditions, and poor number acquisition.
Maintain enterprise environment: Any open source that is installed must follow a standard installation procedure that is identified and deemed secure by the company. Administrators must ensure that users do not install from unknown or unverified sources thereby maintaining the enterprise environment. As with any other software, these must also be audited and upgraded periodically.
Beware of unnecessary services: Most malware associated with open source products entice users with extra services that, although interesting, can be dispensed with. Software must be installed in the secure-mode as specified in the security policy and any add-ons must require special permission from the administrator.
As we can see, if due diligence is done open source is only as risky as any other software product that is brought into the company’s environment. Competition can be combated only by way of innovation and open source provides the necessary environment. The advent of Cloud and Big Data has made vendors more welcoming towards open source.