What to know about open source security

Like any area of tech, open source needs its own security measures to thrive without a hitch.

A major benefit that organisations gain from using open source tech is that it’s freely available and not distributed from a particular proprietor.

The ‘open source’ aspect refers to the code, and can be found within databases, applications and operating systems, among other software. This code can be changed to suit the needs of the business.

However, being available from the public domain, this realm will have its own potential vulnerabilities that hackers could exploit.

The fight to keep open source truly “open” ⁠— open source providers need to stand up

The creator of Jenkins X and the Apache Groovy language, James Strachan—distinguished engineer at CloudBees—discusses the importance of open source providers in keeping open source, open. Read here

Open source applications, for all their arrays of use cases, can be compromised if those responsible for their security aren’t on top of any possible vulnerabilities.

Ben Griffin, director at Computer Disposals Ltd, explained: “Because the code used by open source projects is freely viewable, hackers can take advantage of organisations that are slow to patch their applications.

“Updating applications as soon as possible is imperative. Additionally, an inventory that tracks open source usage across teams helps with regards to visibility and transparency, as well as ensuring that different teams don’t use different versions of the same component.

“Similarly, technical employees should be careful not to copy and paste code from open source libraries, as this leaves the software susceptible to later vulnerabilities. It’s a good idea to create an open source policy that specifically forbids copying and pasting such code from other projects.”

Keep eyes on your supply chain

Companies should also be sure to keep the security of their supply chain in mind when dealing with open source tech, and not agree to use any software without carefully examining what it entails.

“The best thing to do when it comes to sharing open source code is to control your open source supply chain,” said Stefano Maffulli, senior director of digital marketing and community at Scality. “Do the ‘due diligence’ on the packages shipped, reduce dependencies as much as possible and automatically keep track of them in your CI toolchain.

“You want to avoid getting into situations like those we’ve seen recently where popular libraries were hijacked by criminals and modified to ship malware, like the “right9ctrl” fiasco in the fall of 2018, or completely removed from distribution as a political act of protest, such as the Chef scandal in the fall of 2019.”

Understanding the viability of blockchain in supply chain management

There’s a lot of hype around blockchain in supply chain management; can it help enterprises escape their siloed insights and enable them to take a more integrated and holistic approach? Read here

Establish a disaster recovery strategy

In some ways, observing the security of open source tech is similar to securing software distributed by a proprietor.

One of these ways is that a plan is needed for when the software is under threat.

“Alongside fixing and upgrading the code for open source software users, and encouraging developers to regularly monitor for patch updates, a solid business continuity and disaster recovery (BCDR) strategy is an effective solution for resolving any risks tied to open source software that threaten the availability of systems and data,” said Ryan Weeks, chief information security office at Datto.

“Being able to keep systems running and to quickly recover from an attack helps businesses avoid costly downtime caused by those security risks, including everything from ransomware, crypto jacking, and spyware to trojan horses, worms, and rootkits.”

Research who’s using the software

A good indicator of what open source tech is worth using within the company is which other firms are using it.

Does your vendor run security checks on their products?

Don’t let them get away with it. New survey data has revealed 23% of organisations have shipped products with known security vulnerabilities to beat competition. Read here

“Organisations should use open source software that has been adopted/embraced by large vendors,” said Lior Ben Naon, chief solution architect at Skybox Security. “For example, at organisational networks, we see Red Hat Linux servers significantly more than we see Ubuntu or CentOS distributions.

“It is due to extended support mechanism of Red Hat, and the ownership they are taking upon their Linux code base. So in this example, it starts with open source code, but being adopted by a major vendor helps improve the security level, and allow better patching process, among others.”

Personal information in APIs

Companies should be wary of any personal information that may be present within application programming interfaces (APIs).

Vice president, global marketing at SIOS Technology, Frank Jablonski, said: “The security risks of open APIs are not limited to hackers and malware. Open data and codes can lead to data sharing among applications.

“The amount of personal information attained by open APIs can undoubtedly be shared with third-parties. This is evident in Facebook’s vow to better secure personal information.

“APIs can read all your data or they read the data from another application that you have. Security features for open APIs, such as API gateways, should provide users with the utmost protection.”

Avatar photo

Aaron Hurst

Aaron Hurst is Information Age's senior reporter, providing news and features around the hottest trends across the tech industry.