How safe are apps built on Open Source? Is security traded for efficiency?
Many enterprises are embracing Open source software (OSS) at a fast pace, but do such software solutions match up against enterprises' internal applications when it comes to security, robustness, maintainability, and efficiency?
There is no doubt that the latest software solutions allow companies to improve end-user satisfaction, cut back operational delays, prevent business disruption, and reduce cost. Researchers at CAST observed that even though the adoption of software solutions is quite healthy, companies are now prioritising the adoption of open source software instead of developing software solutions on their own.
This is because open source software are, on an average, more maintainable than in-house apps, feature fewer lines of code in their files, are more cost-effective, and are generally better in quality than in-house solutions.
However, a study of 61 popular open source applications built on JEE, C/C++/C#, and PHP containing 75,000 source files and 8.96 million lines of code by CAST revealed that open source software scores lower compared to in-house apps on efficiency, that some high-performance open source solutions have system-level security flaws, and that Blockchain apps, despite being highly robust, are neither secure nor efficient.
“It's incredibly important for organisations to have visibility into the quality of open source software that supports business applications. As we saw with the Struts vulnerabilities that ultimately brought down Equifax, software quality issues that prevail in open source components are more easily exploitable by hackers," said Lev Lesokhin, EVP of strategy and analytics at CAST.
The firm observed that open source software are generally four times smaller than in-house apps in terms of the number of lines of code. This makes them less cumbersome and more manageable. However, it also noted that frameworks, which are the most commonly reused OSS components in IT systems, are quite complex and easy to misuse and that developer tools have also grown in size and complexity in recent years.
At the same time, while OSS solutions are better than in-house IT systems, the latter perform better when it comes to critical efficiency rules that impact performance and end-user experience. In terms of robustness, CAST noted that Blockchain, Cloud/DevOps, and Programming Language performed better compared to Database and Security projects.
While analytics projects scored 99.2 percent on security critical rules, blockchain, database, and programming language projects scored less than 90 percent, with databases faring worse than deliberately bad apps. Security, database, and blockchain projects were also found lacking when it came to demonstrating efficiency.
"Looking at all 61 projects in the sample through a security lens presents an intriguing picture. As the numbers in the prior category would suggest, there are many projects that fare worse on security compliance than the standard bad-security applications.
"Some projects are worse than all four bad apps in the sample. We know these findings are not all definitive vulnerabilities, but they are directional. And where there's smoke, there's always fire," the firm concluded. They found the presence of a large number of OSS projects that fared worse in terms of security scores when compared to applications that were purposely created to be non-secure.
Commenting on the findings based on a detailed analysis of open source software projects, Ed Williams, director EMEA for SpiderLabs at Trustwave, said that he generally didn't agree with the assertion that open source applications perform worse in terms of security.
"Having seen at first hand both OSS and in-house IT applications I'm not sure if I agree that OSS perform worse in terms of security; I wonder if in-house IT are not being as forthcoming as they should," he said.
"I've seen examples of good and bad OSS and in-house applications. One of the benefits of OSS is that it is highly scrutinised in terms of security. A universal fact and widely agreed principle is that all software will have bugs of varying degrees, look at the work of Dijkstra as an example of this, "Testing shows the presence, not the absence of bugs".
"Mature organisations will of course consider security as well as other business decisions, less mature organisations less so – a lot of this comes down to user awareness, not just end-user awareness but for the techies too.
"All too often we see skilled engineers making basic security issues and not understanding the impact or ramifications on their decisions; as an industry it is our responsibility to ensure that Secure Development Lifecycle (SDLC) and general security principles are understood and why they are there in the first place," he added.
Williams as asked if enterprises should consider security as a determining parameter while choosing their applications, or if they should only focus on efficiency and maintainability. He said that he doesn't believe security should be determining parameter, but should be a part of the business decision along with other aspects, like cost, engineer experience etc.
"There is no reason why an in-secure PHP OSS product could not be made ‘more secure' by an engineer who knew PHP security well," he said.