A view on open-source software security
Understanding the risks and benefits of open-source software
Open-source software is the backbone of the internet. The Linux and BSD operating systems are embedded in millions of unique devices, and curl is the most shipped piece of software ever, with an estimated 10 billion installs across computers, phones, consoles, printers, and cars.
"Whilst having the source openly available makes it easier for threat actors to find vulnerabilities, it equally provides an opportunity for outside developers to spot and fix them."
A community development model has proven itself to be stable, to ship features, and to provide a strong basis to build upon. Yet in the context of technology provision for goverment, there are legitimate concerns about the security risks posed by software with a non-commercial background.
A common view is that ‘open-source’ means ‘less secure’ because anyone can modify it, and anyone can read and find the vulnerabilities.
This argument isn’t entirely right or wrong. Indeed, whilst having the source openly available makes it easier for threat actors to find vulnerabilities, it equally provides an opportunity for outside developers to spot and fix them.
If we consider the converse, that closed-source software must be more secure, then evidence suggests that this isn’t necessarily the case. The MITRE CVE® project has been tracking vulnerabilities across the software ecosystem since 1999 and contains over 250,000 entries from both closed and open-source components, most of them open. Although a useful source, it is not entirely representative of the closed-source landscape; whilst open projects must notify MITRE to get a CVE assigned for a bug, private companies are not required to. As such, issues discovered internally are not necessarily publicised and fixes can be pushed out under the heading of "miscellaneous bug fixes and improvements".
We know these issues exist because when they do become public, they become big news. In 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a report tracing the 30 most widely exploited vulnerabilities. Only two of the issues were from open-source projects.
This isn't a matter of reach - the "Log4shell" vulnerability from the Apache log4j project was the single most exploited bug precisely because of its almost ubiquitous usage in both open-source and closed-source Java software.
There is a downside to choosing an open project to build from – you’re not paying anything, so you’re not paying for support and risk management. For small businesses and hobby projects, posting for help on a forum might be sufficient, but this is a significant and understandable risk for government customers: when you’re trying to build something long-lasting and stable, the support lifecycle is critical.
This is where system integrators play a critical role. Underpinned by specialist expertise in software, integrators should take on that risk and provide the requisite support and training to government customers and end users through life.
Importantly, open-source also helps to mitigate vendor lock-in. Even if customers wish to keep using the same database engine under the hood, other integrators or consultants should be able to step in and work with it as the same technology is accessible to everyone.
So, whilst there are legitimate concerns regarding the security and stability of open-source software, there are considerable benefits. With the community development model providing a strong ecosystem of expertise to build upon, open-source software is a critical element of modern, dynamic technology provision.