Over the past few years, we have heard the term “open source software” more and more. It has become the cornerstone of the technology we use today, accounting for 98% of all codebases by 2021 To open Source Security and Risk Analysis Report (OSSRA)says Tim Mackey, Senior Security Strategist, Synopsis Cybersecurity Research Center.
More recently, however, it has made negative headlines. Indeed, the Log4Shell Vulnerability detected in widely used open source logging tool, log4j , towards the end of 2021, sent organizations into a frenzy and continues to create a headache for many. Security teams around the world have been under time pressure to patch their systems to prevent malicious actors from exploiting this flaw to breach systems, steal credentials, and further infect networks with malware.
In another case, the developer of two widely used open source NodeJS libraries, deliberately sabotaged his code in retaliation against large corporations that profit from open source license terms without providing the developer with a source of revenue. Yet despite all the talk surrounding the term “open source,” most don’t even seem to understand what it is; and it is this lack of understanding that could create some of the process problems we see today.
That said, this article seeks to provide a foundation on what it is, how it works, and why it’s incredibly common to see open source software powering everything from mobile apps to servers, and software powering smart devices.
What is open source software?
Open source software is simply software whose source code is freely available for anyone to see and modify. As with any software, a software license governs its use, but that license also confers rights and obligations regarding access to and modification of the source code. In other words, open source licenses allow users of the software to freely modify and offer variations of this software provided they comply with the obligations of the open source license.
Although often considered free, nothing prevents anyone from charging a fee for open source software. The most common pricing structures for open source software include; when a company charges a fee to provide technical support for specific open source projects, when the company adds value to an open source solution through additional testing or certification efforts, or when the company offers a hosted version of the software running as a service.
How is open source different from commercial software?
Most people are familiar with commercial or vendor-supported software. Such software is created by a single entity which often charges money to use the software. With commercial software, the vendor is responsible for developing the software, testing, and releasing security updates, both from a software quality and security perspective. They make their software available under a commercial software license and when they decide to stop supporting the software, no new feature development occurs.
In contrast, open source software is often developed by an independent team of often geographically distributed developers. This is often called an open source community and is central to the growth of open source development. Unlike a vendor that needs to recruit and hire expertise, open source communities are dynamic and can tap into expertise that may be hard to find in a specific geography or may be extremely specialized (e.g., expertise in encryption).
In addition to developers, open source communities include component users and it is the community that defines how the software evolves and what features are important to it. This is because the “software roadmap” that commercial vendor product managers maintain is maintained and managed by the open source community.
What is the prevalence of open source software?
The use of open source software has increased dramatically in recent years, in part because the community development model allows ideas to be explored in a distributed way. This has allowed key enabling technologies such as Kubernetes to scale to major platforms while simultaneously addressing major issues such as secure networking, performance management, and secure large-scale deployments, each of which normally falls under a single vendor under a business model.
While many people think of open source in terms of installable software, there are far more fundamental building blocks in open source software than there are branded applications. These fundamentals include mundane things like programming languages, application log handlers, network stacks, and UI frameworks. Given the value of these building blocks, most commercial software includes some amount of open source components. The net result being that it is rare to find purely commercial software.
What happens when a security patch is released for open source software?
When a commercial software vendor needs to release a patch or update their software, they know who their customers are and can proactively notify them. Since open source software is free to download, the community that creates the software rarely knows everyone who uses it. This places the responsibility for patch management on the shoulders of the users who downloaded the software.
If these users don’t have a process to monitor for new patches, it becomes easy for software to become obsolete, which then increases the risk of software supply chain attacks. From an open source governance perspective, the lack of an update process is the top risk element affecting users, followed closely by a lack of visibility into open source usage. After all, it’s hard to patch something you don’t know you’re using.
Will open source be everywhere?
Absolutely! Although most companies won’t openly admit it, open source powers their operations and this dynamic is also true for governments and educational institutions. Whether an application is commercial, contract, cloud-based, or open source, some part of it will be based on open source technologies.
We saw with President Biden Executive Order 14028 an increased focus on software supply chains, and these supply chains are largely open source. Properly managing the risk of a software supply chain starts with a complete inventory of all software and from there a patch management strategy can be developed that looks not only at the business applications but also the layers of dependencies. allowing the application.
The author is Tim Mackey, Senior Security Strategist, Synopsys Cybersecurity Research Center.