How secure is open source when people are increasingly relying on it?

open source code

Open source is a godsend for developers, but sometimes also a curse. How secure is open source code today?

We return to late 2021. The world stood still for a while then, and it wasn’t just because of covid-19. Log4j, a system that keeps logs and is used by millions of Java-based systems, contained a vulnerability. “A programming error allowed hackers to execute their own malicious code via Log4j and even connect to a remote server to bring in malware from there,” said Dirk Deridder, director of IT Infrastructure, Systems, Services & Support at Smals.

Almost no one was immune. Apple’s iCloud, services from Cloudflare, Amazon, VMware and IBM, Twitter and games service Steam, among others, were subject to the bug. Of note: thanks to additional security steps, attacks could fortunately still be stopped.

What made this complex? Apache, as Log4J developer, rolled out a patch for the zero-day, but that wasn’t enough. After all, a lot of organizations use third-party software that has Log4j embedded in it. They had to wait for all their software vendors to implement Apache’s patch and then roll out the update themselves.

The Log4j case was a worst-case scenario, where open source went belly-up. Deridder: “Those who work with open source have a powerful tool in their hands. As long as you yourself are knowledgeable enough about that power.”

Transparency

An open source environment is based on transparency: the code you share is visible to everyone. This has a positive impact on code quality. Developers are not likely to share inaccurate code at the risk of it being corrected or swamped by criticism. The open nature ensures quality.

“With open source, you collaborate with different people, but not within one company. This forces you to follow certain standards, so vendor lock-in doesn’t stand a chance,” Deridder says. Those open standards provide a high degree of portability where developers can deploy the same code on different platforms.

Safety

Although open source is a community, filled with developers who share the same goal, this does not imply that it is immune to outside dangers. The ultimate responsibility of the code lies not with the person sharing it, but with the end user who adopts it.

“You cannot expect a volunteer developer who shares code with others in his spare time to have the resources to detect rogue code or practices,” Deridder says. So it is up to the end user to inspect the acquired code for rogue issues, although this is not always feasible when tens of thousands of lines of code are involved.

Open Source has become so common sense that too little is talked about it.

Dirk Deridder, Director IT Infrastructure, Systems, Services & Support bij Smals

Deridder sees major challenges for open source as a concept as the number of cyber threats increases. Hackers are increasingly targeting open source projects, creating new challenges. “But I look at it positively, this may well be the electroshock needed to put open source back on the radar,” Deridder says.

SBOM

At Smals, Deridder always insists on the SBoM, the “Software Bill of Materials. “You can think of this as a software ingredients list. It’s a list of all the components, libraries and frameworks used in a specific software product.”

The SBoM also often includes important information such as versions of components, licenses and any known security issues. “An SBoM is valuable because you know what you have in terms of software,” he said.

read also

How secure is open source when people are increasingly relying on it?

By working with this, Deridder says, organizations will automatically better manage and secure their products. Different regulations and standards often require such an SBoM. A final added benefit is better cost efficiency because you know what is present where. A better overview allows for faster solutions, which is cost-saving.

Nano communities

“Open source is theoretically the most secure code, because the whole world can look in. Unfortunately, that’s a dream. The reality is that for the hundreds of millions of packages, there are not enough people in the open source community to rigorously penetrate everything,” Deridder said.

He points to Linux as a bastion with strong leaders. “There the story rings true, but at the same time there are tens of thousands of others who are also building something, dropping the code into open source because it has done service for them, and leaving with the heavens. You’re often dealing with nano-communities. That’s where the Achilles heel of open source is.”

Deridder breathes open source and wants to market that message as widely as possible. “At Smals, we encourage the use of open source and developed our own micro-community called ReUse.” There, commonly used code for government agencies is “recycled. Recently, Smals launched an improved website where you can find a constantly updated catalog that contains a hundred reusable components: APIs, systems, libraries and products.