In a world that is constantly evaluating costs, it is little wonder that there is an increasing demand for cost-effective solutions to business problems. In the real world, this means 'free,' and in the digital marketplace, it means 'open source.'
Open Source aka "Freeware"
Since the early days of the internet, open source software (OSS) has been with us. At that time, though, it was more popularly known as "freeware." It was only when the Palo Alto' Freeware Summit was renamed the "Open Source Summit" in 1998 that the term became fixed.
According to OpenSource.com, open source represents a broader set of values, which they call "the open source way." On their site, they state that "Open source projects, products, or initiatives embrace and celebrate principles of open exchange, collaborative participation, rapid prototyping, transparency, meritocracy, and community-oriented development".
The positives
Clearly, then, there are many good reasons to use OSS, which is why its use is so widespread and on the rise. We have to start by pointing out the obvious, which is that open source is free. Therefore, it's attractive to any organization that's looking to manage or reduce costs. When faced with choosing to purchase proprietary software or using a free version, many smaller organizations will base their decision on price, not functionality.
OSS is developed by a meritocracy, meaning that anyone can access the code, see how the application was developed as well as offer enhancements and improvements. Therefore, it allows for greater collaboration, innovation and improvements in the development of the technology. Having access to the code also means that exploits and weaknesses can be discovered more quickly either by researchers or developers. The project lead can then address issues identified. If they are not addressed, then they will eventually appear on the National Vulnerability Database (NVD).
The Risks
With every positive, there are risks we need to be aware of. Before getting into the operational issues surrounding open source, there is a fundamental issue that must be considered: Is the idea of running organizations on OSS deemed to be acceptable because we're not calling it freeware? If the head of IT explains to the Board that their security is managed by OSS, it's unlikely to raise concerns. However, tell them you're using freeware, and the reaction might be somewhat different. This may not be an issue if we are clear on what OSS is being used, but as open source comes in a multitude of shapes and sizes, do organizations truly understand the risks involved?
This brings us on to our next issue when dealing with open source, and that is one of control—in particular, control of licenses. Managing how traditional software solutions are deployed is difficult enough, but with the plethora of OSS, keeping track of licenses can be an issue for organizations if they don't employ some mechanism to manage it.
The (security) elephant in the room
The power of open source is the ability to collaborate and share ideas amongst like-minded individuals. The ideals of these people are, more often than not, altruistic and intended for good. However, there is no getting away from the fact that cyber criminals are fully aware of the increased use and reliance on OSS. My concern is that not enough focus is being placed on the use of open source by cybersecurity professionals, possibly due to ignorance of the technology or its use in the organizations we work for.
The obvious point that no one seems to mention is that while open source allows for collaboration and rapid prototyping, the cyber crime community can use this same approach to inject malicious code into applications. In addition, where exploits are identified and published broadly, cyber criminals can use this information to infiltrate organizations that don't have a robust patch management process. This often happens because the use of OSS isn't tightly controlled as proprietary software.
Risk management and cybersecurity professionals need to pay closer attention to this area, as they could be at risk of security breaches and compliance (against international security standards) if OSS are not fully considered or assessed.
Open source – the Future
There's little doubt that OSS are here to stay, and that's a good thing. It may surprise you to hear me say this given my views above, but I am a fan of OSS. However, I understand and consider the risks associated with its use. When working with organizations looking to use open source applications, I always ask what the rationale is, and I ask them to consider the potential risks involved in its use. For example, I am a fan of OSS for organizations looking for alternatives to software applications (such as design, word processing etc), but I am more reluctant to recommend the use of open source where the application will be managing or monitoring an entire network or system. In those situations, I would always advise implementing a monitoring tool that is not open source or implementing intrusion detection or intrusion prevention tools that come from a single source rather than an open one.
Open source isn't a bad thing. Indeed, technology is neither good nor bad, but how people use these technologies should be a consideration for us all.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
