Is Open-Source Software Secure?

Visibility of code compels good security hygiene


On Sept. 7, 2017, IT professionals everywhere received a bucket of cold water to the face when news broke of the biggest data breach in U.S. history—criminals hacking into the databases of credit reporting agency Equifax had stolen the personal information of 148 million Americans.

For those affected, perhaps the worst thing about the breach was that it could have easily been prevented: The hackers’ mode of attack was a vulnerability in Apache Struts, an open-source web application development framework. Though a patch was released six months before the attack, Equifax had failed to install it. The incident gave new life to an old debate about whether open-source software is secure.

“Imagine you’re driving a car. If you have a Prius, you trust that Toyota has checked its supply chain; they know where all their parts come from and they have a rigorous process to make sure that when they assemble it, the final car is safe. Exactly the opposite is true in software,” said Mark Curphey, vice president of strategy at CA Veracode, an application security firm that specializes in securing open-source software. “In software, you’ve got no clue where the steering wheel, the brakes, or the seatbelts came from.”

This doesn’t mean all open-source software is risky. In fact, its nature means open-source software has a superior security posture in some ways.

“With open-source software, people can see the code. That’s actually a good thing because it creates a vested interest for the software provider to practice good security hygiene,” said David Egts, chief technologist for the public sector organization at Red Hat. “If people can look at your code and see that it’s [full] of security vulnerabilities and bugs, you’re not going to last very long.”

Instead of embracing or rejecting open-source software wholesale, users should establish a risk-management process for evaluating it.

“There’s four questions you need to ask every time you’re considering open-source software,” Curphey concluded: “What am I using? Where did it come from? What does it do? And what is its quality? Going back to the car analogy, it’s all about building a digital supply chain.”

Return to feature story: An Open Frontier

Posted in: Features   Tagged in: 2019 Issue 1

, , ,

USGIF Publishes GEOINT Essential Body of Knowledge (EBK) 3.0

Herndon, VA, (May 2, 2024)—The United States Geospatial Intelligence Foundation (USGIF) is thrilled to announce the publication of its Geospatial Intelligence (GEOINT) Essential Body of Knowledge (EBK) 3.0. The purpose of the EBK is to define and describe the GEOINT discipline and to represent the essential knowledge, skills, and abilities required for a GEOINT professional to…


Is Quantum Computing Poised to Transform GEOINT?

As quantum computing matures, so does its potential to impact geospatial intelligence


USGIF Announces GEOINT 2024 Golden Ticket Winners

Congratulations to the Golden Ticket Class of 2024. These 24 exceptional junior members of our discipline will take part in a highly coveted professional development experience during the upcoming GEOINT Symposium. The Golden Ticket program is among the most impactful ways that USGIF, now celebrating 20 years of service, helps to build the GEOINT community….