Visibility of code compels good security hygiene
On Sept. 7, 2017, IT professionals everywhere received a bucket of cold water to the face when news broke of the biggest data breach in U.S. history—criminals hacking into the databases of credit reporting agency Equifax had stolen the personal information of 148 million Americans.
For those affected, perhaps the worst thing about the breach was that it could have easily been prevented: The hackers’ mode of attack was a vulnerability in Apache Struts, an open-source web application development framework. Though a patch was released six months before the attack, Equifax had failed to install it. The incident gave new life to an old debate about whether open-source software is secure.
“Imagine you’re driving a car. If you have a Prius, you trust that Toyota has checked its supply chain; they know where all their parts come from and they have a rigorous process to make sure that when they assemble it, the final car is safe. Exactly the opposite is true in software,” said Mark Curphey, vice president of strategy at CA Veracode, an application security firm that specializes in securing open-source software. “In software, you’ve got no clue where the steering wheel, the brakes, or the seatbelts came from.”
This doesn’t mean all open-source software is risky. In fact, its nature means open-source software has a superior security posture in some ways.
“With open-source software, people can see the code. That’s actually a good thing because it creates a vested interest for the software provider to practice good security hygiene,” said David Egts, chief technologist for the public sector organization at Red Hat. “If people can look at your code and see that it’s [full] of security vulnerabilities and bugs, you’re not going to last very long.”
Instead of embracing or rejecting open-source software wholesale, users should establish a risk-management process for evaluating it.
“There’s four questions you need to ask every time you’re considering open-source software,” Curphey concluded: “What am I using? Where did it come from? What does it do? And what is its quality? Going back to the car analogy, it’s all about building a digital supply chain.”