Free Software Can Cost Plenty
“Buyers” must beware of glitches that leave them vulnerable to attacks.
The efficiencies of using and embedding open source software (OSS) carry many risks. In the advent of free repositories and millions of open source projects, the notion of any reasonable centralized authentication about the origin or any assurance as to correctness is virtually impossible. As a result, users should cultivate trust relationships with a few suppliers and keep them up to date.
As industry more widely used computers, people were paid specifically to create more commercially applicable programs with inherent commercial value. Employers restricted usage and rights to their work by keeping the source code private and licensing—not selling—software binaries and not distributing the source code. Consequently, most early experiences with software were either through research or government labs or with commercial licensing.
Cybersecurity experts note that the notion of sharing software is hardly new; most would argue the present open source movement began in 1984. The Free Software Foundation and GNU project led to the GNU C compiler and GNU Emacs, both pivotal to software development at the time. In addition, the GNU General Public License (GPL) allows the copying, modification and redistribution of software licensed under the GPL. None of those actions require explicit permission of the original owner; the only obligation is that modifications be public and therefore visible to the originator.
Although OSS has facilitated many software solutions, they bring with them inherent cybersecurity issues, the experts say. The strength of the OSS community—its openness and trust—unfortunately also is a weakness. A cultural system organized to solicit and accept patches, fixes and improvements from a variety of somewhat vetted but fundamentally untrusted sources will inevitably allow some malicious code to be introduced.
Another risk to the open source movement comes from a strength—the volunteer culture itself, cybersecurity specialists point out. And, employees who participate in open source projects not only are more satisfied with their work, their companies profit from their ingenuity. But while a strong volunteer culture ensures numerous feature improvements, it also makes software maintenance essential.
In addition, the very freedom of the software licensing arrangements means the freedom not to update software even when vulnerabilities have been discovered. Some experts judge the risk of attempting to patch otherwise operational software to be greater than the risk of malicious software exploiting a known vulnerability.
If the creation, distribution and use of open source software is viewed as fundamentally a manufacturing and distribution supply chain problem, more than 70 years of quality engineering theory and experience can solve it, experts propose. The software supply chain is analogous to hardware manufacturing. The OSS projects are the suppliers; the online component repositories are the distributors; the software development teams are the manufacturers; and user applications are the products.
Regardless of the approach of ensuring OSS security, experts agree it is here to stay, and its usage is increasing dramatically. Because of existing vulnerabilities, organizations should ensure the integrity of their distribution system and local repositories and not allow their employees or suppliers to download source or binaries from the wild.
Companies and agencies are encouraged to apply supplier updates often and accept the risk and cost of integration problems when applying update patches. With more than 100 million OSS projects available, finding a reputable fork with active development of a component you are now depending upon should not be difficult.
To learn more about the benefits and dangers of using open source software, read the AFCEA’s Cyber Committee’s “Open Source Software and Mission-Critical Applications: A Cautionary Tale” white paper in SIGNAL’s free Resource Library.