What’s The Problem With Open-Source Software & Cybersecurity?

Promotion

The Internet runs on open-source software (OSS). It’s probably fair to say that open source is everywhere. The Linux kernel, one of the building blocks of open source, is literally embedded in everything from most super computers, cloud computing, billions of phones, and most operating systems.

“Open Source” software, as its name suggests, is available to anyone and it poses a particular challenge in tracking down what is happening at all times. This, in turn, leads to the potential for unique - and serious - cybersecurity vulnerabilities.

What Is Open-Source Software?

While proprietary code (not freely available on the internet) isn’t inherently more secure than open-source code (which is freely available), open-source poses some familiar cybersecurity challenges. Why? Because, as the name suggests, it’s open, leaving potential windows for hackers or other bad actors to infiltrate. In fact some reports suggest up to 70%-90% of any “software stack” consists of third party code. What can go wrong? Well, you need only look as far as the SolarWinds saga to know that once bad actors implant malware in what appears to be legitimate software and updates occur, that software can result in mass dissemination of malware.

Vulnerabilities range widely, but two include failing to manage library dependencies (by keeping dependencies up to date, developers can take advantage of bug fixes, security patches, new features, and reduce security vulnerabilities) and bad-faith actors (people that intentionally break into systems, or contributors intentionally changing the software to be exploitable).

So, who’s concerned? The military, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Google, DARPA, to name a few. According to a report in a 2022 issue of MIT Technology Review, “Much of modern civilization now depends on an ever-expanding corpus of open source code because it saves money, attracts talent, and makes a lot of work easier.”

But while the open-source movement has spawned an ecosystem we all depend on, experts say we do not fully understand it. The MIT Technology Review report goes on to say, “there are countless software projects, millions of lines of code, numerous mailing lists and forums, and an ocean of contributors whose identities and motivation are often obscure, making it hard to hold them accountable.”

None of this seems to have slowed the rush to open source. A recent report from the Linux Foundation and The Laboratory for Innovation Science at Harvard estimated that OSS comprises 80-90% of any given software package; this number is likely to continue to grow. Red Hat’s “The State of Enterprise Open Source” report found that “79% of respondents expect that over the next two years, their organization will increase use of enterprise open source software for emerging technologies.” In the past two decades companies have used open source code with increasing frequency, and companies are increasingly contributing to open-source projects that they use, even collaborating with competitors.

Clear guidelines do exist for best practices related to any kind of secure software, open or otherwise, and include: code reviews, scanning for vulnerabilities, visibility into the system, knowing the attack surface, having zero-trust architecture, and red teaming. These are just some of the ways that code, packages, and systems can be evaluated for security. Ultimately, security requires an in-depth knowledge of the system and how the various parts interact with one another.

Advantages & Disadvantages

The key advantage of open-source software is that the source code is available for inspection by anyone. According to Netsec.news, “that means anyone can check the code to find out if best practices have been followed and can see for themselves if the coding is sloppy. Importantly, with open source, it is possible to see exactly what the software does. If the source code cannot be checked [such as proprietary software], there is no alternative other than to trust that developers have been diligent, and the company has not incorporated code that performs functions that are hidden from the user.” Having a large and active community of users is a vulnerability, but it also means that with the volume of people looking for security gaps potential issues are quickly identified.

Knarik Petrosyan, writing for Security Boulevard, reports that businesses use third-party open source software because it is more cost-effective and flexible than paid-for development solutions. In fact, most organizations use some form of community-borne software, even without knowing it. In can increase the speed of development and decrease the costs. Petrosyan goes on to say, “Created voluntarily, OSS has code available for public inspection, modification, and enhancement. It’s used for various processes and tools, often to augment in-house proprietary code.” Corporations from the smallest to the largest have used and do use OSS.

An important question was posed in a 2021 MIT Technology Review article: “If the internet runs on free open source software, then who is paid to fix it?” Volunteer-run projects like Log4J keep the internet running. The result is unsustainable burnout, and a national security risk when they go wrong. The Log4J project is an open-source tool used widely to record activity inside various types of software. It helps run applications from iCloud to Twitter.

The vulnerability of Log4J, although it has been a crucial piece of internet structure, is extremely easy to exploit, made more complicated by the fact that it was founded as a volunteer project.

Early attacks came from kids who pasted malicious code in Minecraft servers. Hackers, including some linked to China and Iran, are now seeking to exploit the vulnerability in any machine they can find that’s running the flawed code. Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), has said this is “one of the most serious flaws” she’s ever seen. Developer Fillipp Valsorda, at Google, echoed these concerns, stating, “Open-source runs the internet and, by extension, the economy…it is extremely common even for core infrastructure projects to have a small team of maintainers, or even a single maintainer that is not paid to work on that project.”

Unique Implications For The Military

As reported in the July 2022 MIT Technology Review, DARPA, the US military’s research arm, is working to understand the collision of code and community that makes open-source projects work. The idea behind the project is to find out more about how the system functions, the better to predict potential risks. To this end, DARPA’s “SocialCyber” program is an 18-month-long, multimillion-dollar project that will combine sociology with recent technological advances in artificial intelligence to map, understand, and protect these massive open-source communities and the code they create. According to the Review, “It’s different from most previous research because it combines automated analysis of both the code and the social dimensions of open-source software.”

Speaking in that same July 2022 MIT Technology Review report, Sergey Bratus, the DARPA program manager behind the project, said “The open-source ecosystem is one of the grandest enterprises in human history.” Open-source software is inextricably linked to critical infrastructure, and Bratus went on to say that open source underpins “The systems that run our industry, power grids, shipping, transportation.”

This is a special concern for the military, because critical code could be written by our adversaries and the stakes of possible security breaches are incredibly high.

To try and get a handle on this problem, DARPA, through the SocialCyber Program, has contracted with multiple teams of what it calls “performers,” including small, boutique cybersecurity research shops with deep technical chops. One such performer is New York–based Margin Research, which has put together a team of well-respected researchers for the task. “There is a desperate need to treat open-source communities and projects with a higher level of care and respect,” said Sophia d’Antoine, the firm’s founder.

Margin's work maps out who is working on what specific parts of open-source projects. For example, Huawei is currently the biggest contributor to the Linux kernel. Another contributor works for Positive Technologies, a Russian cybersecurity firm that -- like Huawei -- has been sanctioned by the US government. In many cases open source that we all depend on is literally run by one or two volunteers. This makes a lot of existing infrastructure very fragile because it depends on open source, and the basis of that software could be run by someone who literally quits one day which happened in 2018 when a developer behind a popular open-source project called UA-Parser-JS quit, unwilling to work for free anymore. The software was later hijacked by malicious actors who inserted critical vulnerabilities into the software.

In Open Source We Trust

We’ve created this illusion of trust around open-source software and its code. As the military, governments and others are now just realizing, we assume it (open source) will always be there because it’s always been there. However, as D'Antoine from Margin Research went on to say “the government is only just realizing that our critical infrastructure is running code that could be literally being written by sanctioned entities. Right now.”

See What CYRIN Can Do

As is the case with all issues surrounding cybersecurity, the risks and benefits of open-source software will no doubt continue to evolve.

At CYRIN we know that as technology changes, a cybersecurity professional needs to develop the skills to evolve with it. We continue to evolve and develop solutions with “hands-on” training and our courses teach fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required.

These tools and our virtual environment are perfect for a mobile, remote work force. People can train at their pace, with all the benefits of remote work, remote training, and flexibility. Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN


Take a test drive and see for yourself!



You Might Also Read: 

Cybersecurity & The New Space Race:                                                               Image: MasterTux

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 


 

« Getting Your First Cyber Security Job 
Cybersecurity Threats To Digital Banking & How to Mitigate Them »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ANS Group

ANS Group

ANS are a strong team of straight-talking tech and business experts. Our mission is to make digital transformation accessible to all.

SecureNow Insurance Broker

SecureNow Insurance Broker

SecureNow is a commercial insurance broker based in India. Services offered include Cyber Risk insurance.

Australian Cyber Security Growth Network (AustCyber)

Australian Cyber Security Growth Network (AustCyber)

AustCyber brings together businesses and researchers to develop the next generation of cyber security products and services.

International Computer Science Institute (ICSI)

International Computer Science Institute (ICSI)

ICSI is a leading independent, nonprofit center for research in computer science. Research areas include network security and privacy.

Infowhiz solutions

Infowhiz solutions

Infowhiz provides solutions for backup/disaster recovery and network security.

Resilience First

Resilience First

Resilience First is a not-for-profit organisation, led and funded by business to strengthen collective business resilience in all areas, including cyber security.

Glilot Capital Partners

Glilot Capital Partners

Glilot Capital Partners is an Israeli seed and early-stage VC. We specialize in businesses which disrupt enterprise technology, mainly in the fields of AI, big data and cybersecurity.

Mphasis

Mphasis

Mphasis is a leading applied technology services company applying next-generation technology to help enterprises transform businesses globally.

LOGbinder

LOGbinder

LOGbinder eliminates blind spots in security intelligence for endpoints and applications.

M2MD Technologies

M2MD Technologies

M2MD Technologies offers solutions optimized for cellular IoT that provide stronger security, reduced costs, enhanced user experience, and ultimately generates higher returns for stakeholders.

Softcat

Softcat

Softcat offer a broad portfolio of IT services and solutions covering Hybrid Infrastructure, Cyber Security, Digital Workspace and IT Intelligence.

6clicks

6clicks

6clicks is an easy way to implement your risk and compliance program or achieve compliance with ISO 27001, SOC 2, PCI-DSS, HIPAA, NIST, FedRAMP and many other standards.

CrowdSec

CrowdSec

CrowdSec is an open-source & participative IPS able to analyze visitor behavior by parsing logs & provide an adapted response to all kinds of attacks.

Vancord

Vancord

Vancord is an information and security technology company that works in collaboration with clients to support their infrastructure and data security needs for today and tomorrow.

Match Systems

Match Systems

Match Systems provides blockchain investigations, KYC, KYT, AML, Due Diligence and compliance services.

Center for Technology Training (CTT)

Center for Technology Training (CTT)

CTT is a distinguished Computer Training School in Tampa. We specialize in offering comprehensive IT certification programs, including Cyber Security.