Just how secure is open source software?
Just how secure is open source software?
Open source software fosters innovation and inclusion, but what about the security, asks Asavin Wattanajantra.
Open source software is mainstream. Applications such as Firefox and the Linux operating system have been available for quite some time, and even the government is aware of the potential significant benefits.
A Cabinet Office report published in April last year stated: “Typical benefits of open source software include lower procurement prices, no licence costs, interoperability, easier integration and customisation, fewer barriers to reuse, conformance to open technology and data standards giving autonomy over your own information, and freedom from vendor lock-in.”
The US government is also a vocal supporter of open source software. Examples of recent initiatives include whitehouse.gov, the Federal Register and data.gov. Much of the internet is run using open source tools such as Linux, Apache, PHP and MySQL, while a plethora of companies have found good business cases for using open source software. Don Smith, director of technology at Dell SecureWorks, says the main reason businesses would pick free and open source software (FOSS) over proprietary technology is to save money. He also suggests that open source software frequently offers greater innovation than proprietary systems.
Smith says that even if FOSS were to be backed by a commercial entity (such as Red Hat), businesses could benefit from community versions of software products or go for ‘enterprise' versions on a subscription basis. He adds that traditional software vendors have been slow to adopt sensible pay-as-you-go pricing models, leaving the door ajar for the suppliers of commercially supported open source alternatives.
“From a functional perspective, a great deal of FOSS has evolved out of communities using software for a particular reason – if you can achieve it, end-users directly driving software solutions is a good thing. This results in software that is fit for purpose and focused on solving real problems,” Smith explains.
Myths and truths
So, good reasons to go for open source software, but what about security? Many people view open source software as something that can be changed or edited by anybody, much like a Wikipedia entry. That generally isn't the case, however, as open source communities usually have mechanisms in place to prevent such random tinkering – for example, submitting new code to a peer review before it is entered into a particular project. Furthermore, Smith says one of the most common misconceptions about FOSS is the belief that it is written by amateur coders – again, typically untrue.
“The vast majority of FOSS is written by software professionals, very often employed by a company that is making money from that same software, either through subscriptions, support or professional services. It is obviously in the interest of these businesses to ensure their software works well and their coding is of high quality,” he says.
Paul Wander, co-founder of open source web development company Inviqa, also rejects the idea of open source developers being ‘lone geeks', who are producing a niche technology irrelevant to large enterprises.
“Many open source projects have been developed and made available by some of the industry's most prolific and talented engineers, and are often based on a revolutionary technical thesis that advances the capabilities of the industry. These projects go beyond solving small-scale problems,” he says.
Wander doesn't see any defining factor that would specifically make open source systems less secure than proprietary ones. He argues that security comes down to the software's quality – something that varies across both types.
“Security exploits are often a symptom of user error or a lack of user understanding on the part of the software engineer. All software will include security exploits; they are just yet to be discovered,” he says. “For example, hashing algorithms commonly used to generate secure password hashes are now defined as insecure due to the performance improvements in modern computers. Systems that would previously have been classified as secure now need to be re-evaluated. Open source projects often react to these changes much more quickly, providing solutions to users.”
Lamar Bailey, director of security research and development at nCircle, says: “From a security standpoint, open source software is a double-edged sword with both benefits and drawbacks, centred on the fact that anyone can download it and review the code.”
Swings and roundabouts
Companies could audit open source code for security problems before deploying it, to make sure it meets their standards. However, attackers can do their own security investigation in order to find holes that can be exploited.
Bailey adds: “Popular open source software packages with hundreds of contributors reviewing and modifying the code are more likely to be secure because some of the contributors are probably security-savvy, so the likelihood that they will find and fix security issues is high. Less popular open source software with fewer contributors may not undergo the same scrutiny and may be more likely to contain easily exploitable vulnerabilities.”
James Lyne, director of technology strategy at Sophos, agrees that judging the variant security merits of open source and proprietary software is complicated. “It really depends on the software and the developers. Commercial software typically has the benefit of support, maintenance and an ongoing vendor relationship driving to rectify faults,” he states. “That said, many commercial organisations have hidden behind the closed nature of their code and relied on obscurity to prevent security defects being discovered – a strategy that Adobe and Oracle have shown to be painful.
“Open source software, on the other hand, doesn't tend to come with a committed support strategy or SLAs, but does tend to have a passionate group of maintainers. But then there is the issue of transparency and the code being open to all – this is one of the biggest areas of controversy and argument between security practitioners. Some would argue that the code being available to all is a security problem because that makes it easier for attackers to identify and then exploit faults.”
Lyne points out, however, that while having open access to source code could accelerate vulnerability discovery, such vulnerabilities could also be found by a persistent attacker in a closed source binary. The difference – and main benefit – he adds, is that open source code is visible for security professionals to spot mistakes; furthermore, potential users can assess the quality of the code before implementation.
“I find it pays to consider the nature of the software you will be using before assuming that open source will be more or less secure than a commercial equivalent,” Lyne says. And on the matter of open source software being seen as the cheaper option, he warns: “This is not a clear-cut argument. Yes, if you have skilled Linux administrators, there are a wide variety of open source solutions that are better than their commercial equivalents. If you don't have the right expertise, however, you could quickly find your service unpatched, unmaintained and vulnerable – as demonstrated by the stream of infected small business websites running LAMP that we find every day.
“Open source solutions can also provide greater configurability and extensibility than commercial ones, although again this relies on the expertise to use them effectively and is quickly becoming blurred as agile development methodologies weave their way into more commercial development organisations.”
Pros and cons
Rafael Laguna, CEO of software firm Open X-Change, is, not surprisingly, an advocate of open source. “The internet and all of its vital parts are built from open source software; all significant security infrastructure used in banks and by governments is also based on open source software,” he says. “While this is not an argument for the quality of software, it does illustrate that general arguments against the viability of open source software in the security arena lack a solid foundation.”
Laguna adds that software's licencing model has nothing to do with the level of security it provides, and that while open source offers the chance for anybody to develop rapid fixes, organisations running proprietary systems are solely reliant on software vendors to issue a patch.
“There is an argument that if source code and security issues were not open to public scrutiny, security could be higher. However, this argument ignores the evolution process of software,” he says. “There is no basis for the assumption that software that evolves more slowly is more robust. It all comes down to the people and processes producing the software. If the same people with the same skills, using the same processes, were to produce software under both a proprietary model and an open source model, the results would likely be the same. Open source projects, however, can have the advantage of a peer review from a large community of knowledgeable supporters, and this cannot be understated.”
And what of patches when a vulnerability is exposed? Lyne states: “In truth, it really depends on the contributors and the project. Some projects are incredibly responsive and endeavour to follow best practice wherever possible. Others have a collection of part-time contributors with insufficient code coverage to offer the required service levels for many businesses. Much like assessing a commercial vendor, you will need to identify for a given project how active the community is, how quickly it responds and its likely longevity. The good news is that in true open source fashion, this information tends to be visible, so you can assess based on past performance.”
Conrad Contantine, research team engineer at AlienVault, concurs. “Some projects and their communities are better than others. Open source is not all or nothing. In general, the more widely used the project and the more people regularly contributing code to it, the more responsive it will be,” he comments. “Particularly interesting or harmful vulnerabilities can also encourage patches from individuals who do not regularly contribute to that project.
“Some major software vendors have, in the past few years, actually accelerated past the open source community in terms of turnaround time on providing security patches. Credit where it's due.”
Smith says that when considering the open source route, businesses should carefully assess the software and ensure that the project is healthy. They need to question the strategy behind the software, how many people are using it, and if the project is being regularly maintained. This would allow a business to feel confident that there is an active community to call on, and that any vulnerabilities will be patched quickly.
He adds: “Another area of concern is intellectual property leakage – the licencing terms of FOSS need careful inspection. There are a handful of common licencing regimes in place. The most open is also the most restrictive – the GPL. This licence mandates that any changes to the software must be shared with the community.
“This can get complex, where potentially the use of a FOSS library, protected by the GPL, can ‘pollute' a software project and create a potential IP exposure. Organisations intending to use FOSS as part of a wider project must consider the legal implications.”
Contantine concludes: “Make sure your personnel are keeping abreast of information about the software you use – open source software doesn't have a vendor calling you to tell you to use their new emergency patch.
“Your technical personnel have to be aware of available information about the software that supports your business, not expecting to have that information given to them, as occurs with vendor-supported products.”