While allowing public access to the sensitive behind-the-scenes operation of a program sounds risky, open-source software actually has the potential to be even more secure than a program with hidden code. However, as with any type of software, vulnerabilities still exist and can present a serious security risk if they remain unidentified and unpatched.
Open-source is software with publicly accessible code that anyone can view and contribute to, and forms the foundation of the Internet we use today. The popularity of open-source code is rising–not only are more programs using open-source code but a larger portion of the average software comes from open-source resources than ever.Today, open-source code can be found in virtually every application we use online, and open-source development is the focus of many of the world’s largest companies. In order to ensure our data online is secure, we must first make sure that the technology that provides this capability is secure. This article will explore the security risks that bugs in open-source software pose and measures that are being taken to secure open-source software against vulnerabilities and exploits.
A Brief History of Open-Source Software
Open Source first became mainstream in the 1990s thanks to the creation of Linux and the publication of the source code of the Netscape Communicator Internet suite. While the development of software has always been collaborative, the spread of open-source software represented a new step in the collaboration that is necessary for large scale software development. By allowing anyone to view, modify, and borrow from their code, developers can let anyone improve and contribute to their ideas. Security-wise, open source code means that bugs and security flaws no longer sit unnoticed until they are exploited—anyone can find, report, or fix mistakes.
Vulnerabilities in Open-Source Software Pose a Great Security Risk
As open source software and libraries become a bigger part of the code used for the infrastructure of the technology that society relies upon, it is essential that open source code is properly checked for security issues. While most exploits are patched before they are taken advantage of, there have been attacks on open-source software in the past, such as the event-stream attack, in which a programmer purposely added malware to the popular event-stream Node.js library. One recent example of a major bug in open-source software is an exploit found in Log4j, an open-source library used by countless programs to log the actions that they perform. The exploit, known as Log4Shell, made it possible for attackers to execute malicious code in software that used Log4j.
Because so many programs use the Log4j library, the potential for damage using the exploit was more widespread than if every program had its own unique logging code. Even though open-source software is not inherently more secure and is susceptible to larger scale attacks because of its widespread use, it has a great potential to be infinitely more secure than closed source programs because it allows anyone to contribute to its code and for users to fix bugs that they find.
Because libraries like Log4j are so heavily reliant on unpaid volunteers to maintain, they often do not get enough attention relative to their importance. It has been recognized by security experts for some time that the widespread use of outdated open-source software is becoming a national security risk; however, due to Log4Shell, more people are becoming aware of the flaws of open source and the importance of only using up to date and secure open source projects. Since the log4j incident, developers and security researchers have been emphasizing the need for greater security in open-source software more than ever.
Measures Are Being Taken to Improve the Security of Open-Source Software
One way that open source-security is being promoted is through bug bounties. Bug bounties are a system in which organizations offer incentives for reporting bugs in their software. Bug bounties are not simply a lazy way for companies to test their code for bugs; as the scale of software grows and code gets more complex over time, bug bounties allow smaller teams to make bigger programs without sacrificing security. Additionally, it allows users to report bugs before they are taken advantage of. One bug bounty program is Open Bug Bounty, a website created in 2014 as a way to allow users to submit bugs they find using non-intrusive methods, which are then reported to the company. Over 800,000 vulnerabilities have been patched thanks to Open Bug Bounty.
Another way open source is becoming more secure is sponsorship. According to Kent Walker, the President of Global Affairs at Google and Alphabet, one of the biggest flaws of open-source software is that there is “no official resource allocation and few formal requirements or standards” for its maintenance. Because open-source software is a fundamental part of so many companies–some estimates say that almost all commercial programs use open source code– organizations have begun to sponsor open-source development as a way to support the development and maintenance of the open-source code that they use. Dozens of companies recently committed $30 million dollars to fund The Open Source Software Security Mobilization Plan’s 10 step plan to improve the security of open-source software. Additionally, programs like GitHub Sponsors allow users to pay developers of open-source projects hosted on GitHub, one of the largest resources for open-source code.
In addition to the measures being taken to check open source code for bugs, steps are being taken to better prevent errors. Organizations like OpenSSF, the Open Source Security Foundation, are attempting to rectify the lack of standards for open-source maintenance. In addition to hosting courses that teach secure development, OSSFs goal is to enhance the security of open-source projects by creating standards and training for open-source software.
After the Log4j incident, the government has also increased their role in the security of open-source software. The White House recently held a summit to discuss ways to improve the security of open source software, and President Biden signed an executive order recommending the writing of software bills of materials, or SBOMs. SBOMs are documents that list everything that a program uses as part of its supply chain in order to make the program easier to keep secure. For example, an SBOM might list what version of a programming language a software is written in, what libraries it uses, and what open source code it borrows from. This way, if an exploit is found in any of those individual components that could compromise the software, the software can be quickly updated.
Some resources for staying up to date on software security include:
- LinuxSecurity Advisories
- NIST National Vulnerability Database
- CISA Known Exploited Vulnerabilities Catalog
- CERT Vulnerability Notes Database
Final Thoughts
As Open Source becomes a bigger part of software development, measures should be taken in order to improve the security of open-source projects. Software scanning tools can help analyze code for exploits and bugs in open source components that it uses. Additionally, average users can help keep open-source projects secure by contributing to code or bug bounties. It is also important to stay up to date on the latest exploits, something made easier with an SBOM. Ultimately, while open-source software has had security issues, it can be even more secure than closed source code when properly reviewed, and the growth of open-source software means greater potential for secure software.