Open Source Software in a Cyber-conscious World
The March 2017 breach (1) of credit giant Equifax that resulted in the loss of an estimated 143 million personal records is widely cited in Open Source Software (OSS) circles as one reason for vulnerability vigilance. The breach occurred when attackers used a consumer complaint web portal to exploit a vulnerability in Apache Struts, an open-source development framework that Equifax used to create enterprise Java applications. Though a patch was made available, Equifax failed to comprehensively apply it, allowing the attackers to move from the web portal to Equifax servers, exfiltrating humungous amounts of personal data.
Yet shattering as the impact of the Equifax breach was, it does not quite make the case for dismissing or calling out OSS. Indeed OSS, as we shall see in this article, has both its upsides and downsides.
What it is
OSS is software that is developed collaboratively in open-source projects by communities of collaborators, or contributors. It is licensed for free use, study, modification, and distribution. This is completely at variance with proprietary or ‘closed’ software which is specifically developed for a customer, who has the exclusive rights to copy, modify, and distribute the same.
Because of its building block nature, OSS is widely deployed as framework for building applications. Some estimates put the presence of Open Source in almost 70 to 90% (2) of modern software applications. Widely embraced by the food, consulting, finance, higher education, and telecommunications industries, it is used by an estimated 50% of Fortune 500 companies (3) for applications that manage critical processes and workloads.
Linux, Mozilla and Open-Source Initiative are amongst the more famous open-source organizations, while Apache, Audacity, Mozilla Firefox, Linux and WordPress are some of the best-known open-source packages used.
A brief history
Though many say it is essentially ‘freeware’ – a term used in yesteryear to describe software of its nature – the April 1998 Freeware Summit (now termed the Open Source Summit) was where the term ‘open source’ was born. Since then, it has grown manifold. Today, developers have mastered the art of incorporating open sources into their models. Open-source libraries are omnipresent in the cloud computing services space with Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure amongst the major players.
The use of OSS is unimaginable. It is reported that 96% of applications (4) contain OSS components, with an average of 528 components per application, clearly spelling out the building block nature of source code for application-building. 20 years ago when OSS first started the just 1% of applications used OSS.
Licensing OSS
Licensing is a moot point in any discussion on OSS. Though OSS grants the user the right to freely use, modify, contribute to, and distribute the software, licensing of OSS follows a strict process involving a formal application, scrutiny, and admission process, before it is granted. Hence there is minimal chance of the community-based project being compromised by a hacker getting access to the project. Licenses are of two types – ‘’copyright’’ licenses that allow developers to copyright the applications that they have created using OSS. The second type is the “copyleft” licenses that come with legally enforceable conditions, restrict copyrighting, and retain the intellectual property rights with the original licensor.
How it works
Open-source development typically begins with an independent programmer or a team of programmers working on a project. Created in the winter of 1989, the Python programming language and the Apache Web Server are two such projects. The kernel is contributed to by other programmers in the form of writing lines of code, testing, documenting, and building the project website, etc. With time an ecosystem for open-source projects has been created, with code hosting services like Google Code, GitHub, and Bitbucket offering central repositories, and related services like collaboration access, etc.
Lessons for organizations
Businesses across the world have awoken to the fact that winning strategies can be embedded by smart technology and software choices. The cost of innovating can be prohibitive in the case of proprietary or closed software. OSS grants organizations the freedom to appropriate software developments from other organizations on the platform, while focusing on innovation on other parts of the model.
OSS is widely regarded as the go-to-market destination and strategy for building software. The rationale is simple. Organizations simply do not find it expedient to build applications from the very start and it serves them to draw from OSS. By sharing their developments on the collaborative platforms – industry reports put the figure of developers contributing to open-source projects at 84% – they give back to the industry, making it a win-win situation for all.
The benefits
Let us leave aside the fact that OSS today is ubiquitous (a reason enough to dispel thoughts about its value) and look at a list of some of its compelling benefits.
- Flexibility arising from the possibility of tailoring the source code to the organizational need without long gestation periods
- Faster project start-up time due to easy access to the source code
- Reduced vendor lock-in and reliance on service providers
- Reliability due to the tried and tested source material
- Increased visibility and accessibility of algorithms ensuring transparency for both the development team and stakeholders, with the latter being able to satisfy themselves as to the fairness in operations
- Reasonably higher levels of security due to the visibility of code to the development team
- Faster turnaround times and fewer disruptions due to multiple collaborators on the platform contributing to bug-hunting and remediation
- Cost-effectiveness as a result of the elimination of licensing fees, acquisition, and initial evaluation costs that are an inherent part of proprietary software
- Greater specialist involvement due to the collaborative platform and diversified invested community
- Less strain on technical resources arising from talent attraction, retention, and workload stressors
- Longer shelf life of software due to the elimination of dedicated vendor support
The disadvantages
It might seem OSS has a lot going for it, but it also comes with some inherent disadvantages. Here are some of the more concerning of them.
- Security issues are at the top of the list of challenges. Studies show that at least one open-source high-risk vulnerability has been found to exist or has been exploited in a majority of them
- Low number of contributions to normally-active codebases have been experienced in recent times
- Increasing number of ‘orphaned or abandoned’ codebases
- Patches issued are not always applied on time at their destinations
- Hidden costs of customization on an ongoing basis are often cited as post-installation cost which is free or inexpensive to start with
- Lack of manuals, documentation, and troubleshooting advice is almost non-existent
- Limited features due to the standardized nature of the software
- User friendliness is absent making for a poor customer experience
- Lack of compatibility with other commercial or proprietary software in the ecosystem
- OSS talent shortage often experienced
- Complex licensing procedures
Closing thoughts
Considering that OSS is more the rule than the exception in industry solutions today, it can be reasoned that organizations always need to be at the top of their game when it comes to cybersecurity. At the top of the list of concerns would be vulnerabilities that can be exploited. Equally concerning is the large number of applications in an organization that use OSS that by corollary create multiple attack surfaces for hackers. Another concern, as was the case in the Equifax breach, is the failure to either issue or apply patches on time.
Considering these and other touchpoints, it can be generally said that OSS presents huge challenges for cybersecurity. The question then that must be asked is: Is it good for the organization?
It’s a question that only the organizations themselves can answer. Perhaps as songwriter-poet-activist Bob Dylan sang, the answer is blowing in the wind.
References
- Equifax blames open-source software for its record-breaking security breach: Report | ZDNET
- What is open source? Definition, examples, pros and cons – SDxCentral
- 5 advantages and 6 disadvantages of open source software | TechTarget
- How Open Source Software Is Paving The Way For More Competitive Business Models (forbes.com)
