Can open source software be secure?

esteria.white

Secure coding, enterprise security

Or does massive public interference just open the door to problems? And how does open source software compare to proprietary software in terms of security?

Can open source software be secure?

There are – and always will be – vulnerabilities in software. Just like there is no such thing as perfect security, there is no such thing as a perfect code base. This begs the question: what is the best way to resolve software problems, especially at scale? As is often the case when it comes to security questions, the answer is “It depends.”

Who let the insects out?

Open source software allows everyone – for better or worse – to take a look under the hood and hopefully resolve security or functionality issues. But they could also introduce backdoors that could go unnoticed, sometimes for years, according to a study. Study 2022 published on 31st USENIX Security Symposium.

Closed-source software, on the other hand, relies on the secrecy of its source code and the expertise of its own software developers, a sort of internal secret sauce, hopefully maintained by experts with solid reputation in safety matters, where their know-how is at least good. enough to retain customers and stay in business. Whether or not they make their source code available, developers can benefit from documents such as the OWASP Top 10 and the SEI CERT Coding Standardsthat promote the development of secure coding practices.

Even though open source software has roots In the 1950s, it was not until the early 1980s that software was considered copyrightable in the United States. One consequence of this was that many vendors who previously provided source code as part of their products stopped doing so. In the 1980s and 2000s, some software companies such as Microsoft viewed open source software as a kind of existential threat to their business, before kiss her in the 2010s.

Today, Great technology increasingly promotes public-private collaboration on open source software security, to the point that the White House had a peak on its security in 2022, perhaps caused by the generalization exploitation of vulnerabilities in open source software. During the writing of this article, CISA announcement the publication of his security roadmap for open source software, highlighting both its recognition of the importance of open source software in the technology ecosystem and their commitment to helping secure it.

Closed-source software companies also have the option of assigning someone the task of updating software for issues as they arise. Open source generally relies more on crowds of volunteers who jump in and fix problems as they arise, a property known as Linus’ law: “with enough eyeballs, all insects are superficial.” But because volunteers are hard to assemble, it’s harder to force them to do the day-to-day work of fixing bugs in a timely manner – the part of security that isn’t glamorous – and updates can fall behind schedule. . However, this could change: bug bounty programs Offered by Google, Hunter are a way to monetize finding and fixing open source software vulnerabilities.

The reality of modern software falls somewhere in between, since many closed-source projects often rely heavily on piles of open-source “scaffolding” software to do the basics before adding their own secret sauce. above. It makes sense, for example, not to build an email app from scratch to perform administrative notifications: there are well-tested open source projects that can easily handle this.

Conversely, some more open source-oriented companies actively contribute to open source software projects that they deem important, and because they have commercial clients, their commercial income allows them to employ someone whose work is to fix bugs.

But this strange confluence of forces can still allow for problems like Log4j vulnerabilities, which can weaken the infrastructure and possibly act as a backdoor, whether or not the entire infrastructure is exploited. stack that you are using because a product is open, closed, or most likely something in between.

A side effect of open source software is that it helps revive entire communities of things like communications software that want to act securely, since they don’t need to build everything from scratch to try to get the cryptography right.

This is what some of the most popular privacy software projects in the world do, like Proton And Signaleach with a solid reputation and track record of keeping things private and secure.

The authors of Signal invite anyone to review their code, and since personal messaging is a very important function for society, many security managers focus only on that, because a vulnerability, or cryptographic weakness, can have consequences very important.

Switzerland-based Proton got its start in the ultra-secure email space, then expanded into a number of other services around protecting user identity – another extremely important feature for society, and serious consequences in the event of an error.

Lest you think that closed software has a better track record, even the world’s most widely used closed software can contain vulnerabilities for years or even decades. Consider CVE-2019-0859. Discovered by Kaspersky Labit’s a use-after-free vulnerability found in ten years of Microsoft Windows operating systems, from Windows 7 to Windows 8 to Windows 8.1 and Windows 10 on the desktop side, and Windows Server versions 2008 R2, 2012, 2012 R2, 2016 and 2019.

The devil is in the details

The truth is that neither open source nor closed source software is inherently more secure than any other. What matters is the process by which software is developed and fixes are implemented for vulnerabilities. The reliability of these patches and how quickly they can be implemented are what organizations should focus on when determining their security posture, not the type of software license.

Ultimately, it depends on the responsiveness of the host organization to the broader security community. ESET, for example, contributes significantly to MITER ATT&CK® Frame and provides many other security tools that are often free or open source.

In the hybrid world of software, almost always a mix of open source and closed source software, this becomes the litmus test: whether the company or organization is open to suggestions and contributions, and whether it reinvests in the security community . There’s a saying about the company you keep: make sure your software managers are in good company, and the rising tide of security will lift all digital ships. And while perfect security remains elusive, large teams with good reputations can certainly help.

Leave a comment