Does your organization use open-source software components in any of its internal or external facing web applications? Are you actively tracking those packages for updates and patches? Have you ever evaluated the security posture of your web applications? If you are unsure why you should care about any of this, keep reading.
Open-source software (OSS) is a type of computer software that is distributed with source code that anyone can inspect, modify and enhance. Open-source libraries and components are everywhere, and your organization probably uses more of them than you realize.
Popular examples of open-source software include:
There are many reasons an organization may adopt OSS including cost, time to market and interoperability just to name a few.
Cost - Many would argue that cost is the main driving force for selecting OSS over proprietary software (commercial or privately developed software where the source code is not publicly available). As a business, you spend more on support charges and upgrade expenses than you probably expect.
Time to Market - Open-source solutions are often much faster to investigate and get off the ground.
Interoperability - Open-source software is better at adhering to open standards. This contributes to interoperability with other businesses, computers and users.
With that said, you must be wondering what’s the downside. There is an often-overlooked investment and responsibility that comes as part of adopting open-source software.
Is it Safe?
I guess it depends on how you define safe. Proponents of OSS will tell you the more eyes on the code results in better software because a wide and diverse community of developers are able to review the code, identify flaws and fix them directly. However, I don't believe OSS is any more or less secure than proprietary commercial software. Having more eyes on the code isn’t enough. Many developers lack the security expertise and training to develop secure code. Furthermore, functionality is often prioritized over security in terms of project timelines, with security being an afterthought.
With the wide-spread adoption of OSS, it should come as no surprise that more than 4,000 new vulnerabilities are cataloged each year. Open-source distributions are made available from a variety of sources and repositories. Providers have no way to track what version or component each individual organization may be using, which means there is no automated delivery mechanism for vulnerability notifications. Often times, open-source components will get reused across multiple projects within an organization, exposing unrelated applications to attack. As a result, it is the organization's responsibility to catalog OSS packages and modules in use. Additionally, it is the organization's duty to be aware of updates to OSS libraries and to apply those updates in a timely fashion.
A perfect illustration of this involves the well-publicized Equifax breach which occurred in 2017. The breach involved vulnerable versions of the open-source software Apache Struts (a free, open-source framework for creating Java web applications). As it turns out, there was a patch available two months before the Equifax breach ever happened.
Your organization must ensure that effective security practices are built into everything you do. Even the best detection and alerting mechanisms in the world cannot resolve poor security practices.