What’s The Problem With Open-Source Software & Cybersecurity?

Promotion

The Internet runs on open-source software (OSS). It’s probably fair to say that open source is everywhere. The Linux kernel, one of the building blocks of open source, is literally embedded in everything from most super computers, cloud computing, billions of phones, and most operating systems.

“Open Source” software, as its name suggests, is available to anyone and it poses a particular challenge in tracking down what is happening at all times. This, in turn, leads to the potential for unique - and serious - cybersecurity vulnerabilities.

What Is Open-Source Software?

While proprietary code (not freely available on the internet) isn’t inherently more secure than open-source code (which is freely available), open-source poses some familiar cybersecurity challenges. Why? Because, as the name suggests, it’s open, leaving potential windows for hackers or other bad actors to infiltrate. In fact some reports suggest up to 70%-90% of any “software stack” consists of third party code. What can go wrong? Well, you need only look as far as the SolarWinds saga to know that once bad actors implant malware in what appears to be legitimate software and updates occur, that software can result in mass dissemination of malware.

Vulnerabilities range widely, but two include failing to manage library dependencies (by keeping dependencies up to date, developers can take advantage of bug fixes, security patches, new features, and reduce security vulnerabilities) and bad-faith actors (people that intentionally break into systems, or contributors intentionally changing the software to be exploitable).

So, who’s concerned? The military, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Google, DARPA, to name a few. According to a report in a 2022 issue of MIT Technology Review, “Much of modern civilization now depends on an ever-expanding corpus of open source code because it saves money, attracts talent, and makes a lot of work easier.”

But while the open-source movement has spawned an ecosystem we all depend on, experts say we do not fully understand it. The MIT Technology Review report goes on to say, “there are countless software projects, millions of lines of code, numerous mailing lists and forums, and an ocean of contributors whose identities and motivation are often obscure, making it hard to hold them accountable.”

None of this seems to have slowed the rush to open source. A recent report from the Linux Foundation and The Laboratory for Innovation Science at Harvard estimated that OSS comprises 80-90% of any given software package; this number is likely to continue to grow. Red Hat’s “The State of Enterprise Open Source” report found that “79% of respondents expect that over the next two years, their organization will increase use of enterprise open source software for emerging technologies.” In the past two decades companies have used open source code with increasing frequency, and companies are increasingly contributing to open-source projects that they use, even collaborating with competitors.

Clear guidelines do exist for best practices related to any kind of secure software, open or otherwise, and include: code reviews, scanning for vulnerabilities, visibility into the system, knowing the attack surface, having zero-trust architecture, and red teaming. These are just some of the ways that code, packages, and systems can be evaluated for security. Ultimately, security requires an in-depth knowledge of the system and how the various parts interact with one another.

Advantages & Disadvantages

The key advantage of open-source software is that the source code is available for inspection by anyone. According to Netsec.news, “that means anyone can check the code to find out if best practices have been followed and can see for themselves if the coding is sloppy. Importantly, with open source, it is possible to see exactly what the software does. If the source code cannot be checked [such as proprietary software], there is no alternative other than to trust that developers have been diligent, and the company has not incorporated code that performs functions that are hidden from the user.” Having a large and active community of users is a vulnerability, but it also means that with the volume of people looking for security gaps potential issues are quickly identified.

Knarik Petrosyan, writing for Security Boulevard, reports that businesses use third-party open source software because it is more cost-effective and flexible than paid-for development solutions. In fact, most organizations use some form of community-borne software, even without knowing it. In can increase the speed of development and decrease the costs. Petrosyan goes on to say, “Created voluntarily, OSS has code available for public inspection, modification, and enhancement. It’s used for various processes and tools, often to augment in-house proprietary code.” Corporations from the smallest to the largest have used and do use OSS.

An important question was posed in a 2021 MIT Technology Review article: “If the internet runs on free open source software, then who is paid to fix it?” Volunteer-run projects like Log4J keep the internet running. The result is unsustainable burnout, and a national security risk when they go wrong. The Log4J project is an open-source tool used widely to record activity inside various types of software. It helps run applications from iCloud to Twitter.

The vulnerability of Log4J, although it has been a crucial piece of internet structure, is extremely easy to exploit, made more complicated by the fact that it was founded as a volunteer project.

Early attacks came from kids who pasted malicious code in Minecraft servers. Hackers, including some linked to China and Iran, are now seeking to exploit the vulnerability in any machine they can find that’s running the flawed code. Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), has said this is “one of the most serious flaws” she’s ever seen. Developer Fillipp Valsorda, at Google, echoed these concerns, stating, “Open-source runs the internet and, by extension, the economy…it is extremely common even for core infrastructure projects to have a small team of maintainers, or even a single maintainer that is not paid to work on that project.”

Unique Implications For The Military

As reported in the July 2022 MIT Technology Review, DARPA, the US military’s research arm, is working to understand the collision of code and community that makes open-source projects work. The idea behind the project is to find out more about how the system functions, the better to predict potential risks. To this end, DARPA’s “SocialCyber” program is an 18-month-long, multimillion-dollar project that will combine sociology with recent technological advances in artificial intelligence to map, understand, and protect these massive open-source communities and the code they create. According to the Review, “It’s different from most previous research because it combines automated analysis of both the code and the social dimensions of open-source software.”

Speaking in that same July 2022 MIT Technology Review report, Sergey Bratus, the DARPA program manager behind the project, said “The open-source ecosystem is one of the grandest enterprises in human history.” Open-source software is inextricably linked to critical infrastructure, and Bratus went on to say that open source underpins “The systems that run our industry, power grids, shipping, transportation.”

This is a special concern for the military, because critical code could be written by our adversaries and the stakes of possible security breaches are incredibly high.

To try and get a handle on this problem, DARPA, through the SocialCyber Program, has contracted with multiple teams of what it calls “performers,” including small, boutique cybersecurity research shops with deep technical chops. One such performer is New York–based Margin Research, which has put together a team of well-respected researchers for the task. “There is a desperate need to treat open-source communities and projects with a higher level of care and respect,” said Sophia d’Antoine, the firm’s founder.

Margin's work maps out who is working on what specific parts of open-source projects. For example, Huawei is currently the biggest contributor to the Linux kernel. Another contributor works for Positive Technologies, a Russian cybersecurity firm that -- like Huawei -- has been sanctioned by the US government. In many cases open source that we all depend on is literally run by one or two volunteers. This makes a lot of existing infrastructure very fragile because it depends on open source, and the basis of that software could be run by someone who literally quits one day which happened in 2018 when a developer behind a popular open-source project called UA-Parser-JS quit, unwilling to work for free anymore. The software was later hijacked by malicious actors who inserted critical vulnerabilities into the software.

In Open Source We Trust

We’ve created this illusion of trust around open-source software and its code. As the military, governments and others are now just realizing, we assume it (open source) will always be there because it’s always been there. However, as D'Antoine from Margin Research went on to say “the government is only just realizing that our critical infrastructure is running code that could be literally being written by sanctioned entities. Right now.”

See What CYRIN Can Do

As is the case with all issues surrounding cybersecurity, the risks and benefits of open-source software will no doubt continue to evolve.

At CYRIN we know that as technology changes, a cybersecurity professional needs to develop the skills to evolve with it. We continue to evolve and develop solutions with “hands-on” training and our courses teach fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required.

These tools and our virtual environment are perfect for a mobile, remote work force. People can train at their pace, with all the benefits of remote work, remote training, and flexibility. Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN


Take a test drive and see for yourself!



You Might Also Read: 

Cybersecurity & The New Space Race:                                                               Image: MasterTux

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 


 

« Getting Your First Cyber Security Job 
Cybersecurity Threats To Digital Banking & How to Mitigate Them »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Eversheds Sutherland

Eversheds Sutherland

Eversheds Sutherland is a global multinational law practice offering a full range of commercial and IT law services including Privacy, Data Protection and Cyersecurity.

Cato Networks

Cato Networks

Cato connects your branch locations, physical and cloud datacenters, and mobile users into a secure and optimized global network in the cloud.

Cisco Talos

Cisco Talos

Talos is an industry-leading threat intelligence solution that protects your organization’s people, data and infrastructure from active adversaries.

AppViewX

AppViewX

AppViewX is a global leader in the management, automation and orchestration of network services in data centers.

Signal Sciences

Signal Sciences

Signal Sciences Web Protection Platform (WPP) provides comprehensive threat protection and security visibility for web applications, microservices, and APIs on any platform.

OpenText

OpenText

OpenText is a leader in Enterprise Information Management software and a portfolio of related solutions for Information Governance, Compliance, Information Security and Privacy.

Cyber Discovery

Cyber Discovery

Cyber Discovery, the UK Government's Cyber Schools Programme, is a learning programme designed to give young people the opportunity to learn the skills needed to enter the cyber security profession.

Quokka

Quokka

Quokka (formerly Kryptowire) is the source for mobile security and privacy solutions, staying steps ahead of the threat and delivering peace of mind.

OcuCloud

OcuCloud

OcuCloud protects businesses' valuable information in the cloud, preventing security breaches caused by employees and remote vendors.

IronClad Encryption (ICE)

IronClad Encryption (ICE)

Ironclad Encryption is Dynamic Encryption. The encryption sequence changes continuously so there is never a correlation between data sent and data received.

ImmuniWeb

ImmuniWeb

We Simplify, Accelerate and Reduce Costs of Security Testing, Protection and Compliance.

ConnectSecure

ConnectSecure

ConnectSecure (formerly CyberCNS) is a global cybersecurity company that delivers tools to identify and address vulnerabilities and manage compliance requirements.

Condition Zebra

Condition Zebra

Condition Zebra has wide experience in providing IT Security Services, Training, and Certification in the field of cybersecurity.

Internet Watch Foundation (IWF)

Internet Watch Foundation (IWF)

Since the early days of the internet, our job has been to help child victims of sexual abuse by hunting down and removing any online record of the abuse.

Mother Technologies

Mother Technologies

From Datacentre to Desktop, Mother Technologies has been delivering IT Support, Telecoms, Cybersecurity and Connectivity services to businesses across Scotland and beyond since 2002.

Cyber Security Certification Australia (CSCAU)

Cyber Security Certification Australia (CSCAU)

CSCAU is the world’s first 'for mission' industry council set up to address small and medium-sized business (SMB) cyber resilience through annually updated certifiable standards.