Cyber Security Considerations with Open Source
Free software! This is the common reaction when business owners learn of open-source software for the first time. There are open-source solutions out there for just about every function of business. There are even open-source cyber security solutions, the U.S Department of Homeland Security compiled a list of them. Open-source software does come with some severe limitations including no customer service, self-installation, no technical support, or even updates sometimes. Open-source is not a welcoming place for the non-technical user. For business owners who do use open-source solutions it is often with the bare minimum understanding of programming required to get it on their system. Other times it is a freelancer who handles it.
Another layer of complexity for cyber security is that open-source is built into almost every software we interact with on some level. When a cyber criminal finds an exploit in open-source code they will also simultaneously know exploits in any and all software using that open-source solution. Common software from Google’s products to Microsoft Office all have some open-source code in them. However, this vulnerability may be open-source’s greatest strength in disguise.
Open-source projects often attract developers who are also active and loyal users of the open-source product. In the open-source world projects are often developed out of a critical need, not through investment. The community often hacks their own software to test its security and have much quicker response times when it comes to addressing vulnerabilities. Meaning, open-source can at times be very quick in response to a threat or even general code failures. However, this is dependent on how active both the community is and you are with checking in with them.
If you’re going to use open-source software, which is encouraged in some cases, there are some considerations you should know about. First, lets explore what open-source is so there is no confusion about what you’re taking on.
Open-source Software: The Definitions
To start open-source is something that anyone can modify, distribute, and even capitalize on because of they are public driven projects. Open-source software by extension is publicly available source code that anyone anywhere can inspect, modify, and distribute freely. This is in contrast to proprietary software, where the source code is exclusively controlled by the organization who developed it. Sounds too good to be true? Well, it’s a reality, and it’s here to stay. As stated above some very successful businesses have been built on open-source code and projects. Additionally, a whole community with their own set of principles have developed around open-source. They value open exchange, collaboration, rapid prototyping, transparency, and community.
Why Users go Open-Source
Users of open-source software often gravitate towards it because of greater control and responsive security. For those who are used to proprietary software this may seem counter-intuitive. Using open-source software requires some acceptance of risk and a shortage in the standard support that come with proprietary software.
Open-source users feel greater control because they have direct access to the code and can use the software in whatever way they wish. At times the user control of source code produces innovations and integrations that may take an extended amount of time for proprietary companies to think about. An example of this can be found between Google’s business offerings and the open-source project Nextcloud. Where users themselves developed an environment that consolidated all the features of Google into one workspace. The aspect of control is one of the biggest drivers not just for users but for governments and even businesses. This way unique security solutions are able to be built into the source code of software that otherwise would not happen.
The responsiveness of the online community of user-developers is swift if there is a problem. However, there are no notifications of security failures or even code failures. Instead someone using open-source software needs to regularly check on forums and sort through the conversations to find out if there is an issue. Which can be an issue for many users. Not to mention how complex this can get if you are using software built from many different open-source projects. Despite this, users still feel more secure because they got use to this very habit. There is a drawback however, despite the community responsiveness, security depends on if a community exist around the software. With no community, there is no security or even bug support. Additionally, there is no standard on which to assess the quality of security in an open-source solution. So when using one there is a certain leap of faith that must take place.
Cyber Security Considerations
When seeking out an open-source solution to fit your needs there are some general signs to look out for and preemptive measures that can be taken to protect yourself.
One of the most critical elements of open-source projects is if there is an active and sizable community. Without a community there is no debugging or security patches made, unless you plan on doing that yourself. However, even having a community is not enough, especially when you take into consideration that 99% of projects have fifty or fewer contributions per year. So some metrics to keep track of when looking at a community is, how many issues are open in the community, how responsive are they?How many users regularly open issues? The reason for the emphasis on issues is that there are community members constantly reviewing code for bugs and errors. No code is perfect and in the open-source space this is not hidden.
Successful open-source projects often have a core team of developers behind them. This team offers the software free and offers either paid hosting or paid installation and support for revenue. Essentially the freemium model of business. Open-source projects that have this often can be relied upon with more certainty than projects with communities alone. These teams often are active in encouraging a community, and marketing the software. They usually have greater streams of information since developers in the community can provide near immediate feedback on bugs and security flaws. They then usually release an update to all users after feedback and community testing.
If you’re thinking about open-source make sure the documentation for the project is up-to-date. Often the documentation is more than a user guide, it is a guide for developers to immediately find what they’re looking for. Before you download review the documentation to see what security features are built in and if the software can scale or integrate with other security suites. If you for example find software that offers no encryption then you may find your data vulnerable to attackers online. Always read the documentation to gain a proper assessment of the software’s security measures.
Open-source software is often a cost-effective solution for small and medium sized businesses. Large businesses are able to also leverage the flexibility of open-source to build more products or reinforce their networks. Understanding what open-source is, how it works, and where to look for security quality will save you a lot of headache in the long run. What has been your experience with open-source so far?