Over the past few years, we have increasingly heard the term “open source software.” It has become the cornerstone of technology we use today, making up 98% of all codebases according to the 2021 Open Source Security and Risk Analysis (OSSRA) report, says Tim Mackey, principal security strategist, Synopsys Cybersecurity Research Centre.
More recently though, it has picked up some negative headlines. Indeed, the Log4Shell vulnerability detected in the widely used open source logging tool, log4j , towards the end of 2021, sent organisations into a frenzy and continues to create a headache for many. Security teams worldwide have been under a time crunch to patch their systems to prevent malicious actors from leveraging this flaw to breach systems, steal credentials and further infect networks with malicious software.
In another case, the developer of two extensively used NodeJS open source libraries, deliberately sabotaged his code in retaliation against large corporations who take advantage of open source licensing terms without providing the developer a revenue stream. Yet, in spite of all this talk surrounding the term “open source,” most do not seem to even understand what it is; and it is this lack of understanding that might be creating some of the process issues we are seeing today.
With that said, this article seeks to provide a grounding in what it is, how it works, and why it is incredibly common to see open source software powering everything from mobile apps to servers, and the software powering intelligent devices.
What is open source software?
Open source software is simply software whose source code is freely available for anyone to view and modify. As with any software, it has a software license governing how it can be used, but that license also conveys rights and obligations around access to and modification of the source code. Put another way, open source licenses allow users of the software to freely modify and offer variations of that software provided they adhere to the obligations in the open source license.
While often thought of as being free from monetary charge, there is nothing that prevents anyone from charging a fee for open source software. The most common fee structures for open source software include; when a business charges a fee to provide technical support for specific open source projects, when the business adds value to an open source solution through additional testing or certification efforts, or when the business offers a hosted version of the software running as a service.
How does open source differ from commercial software?
Most people are familiar with commercial or vendor supported software. Such software is created by a single entity which often charges money to use the software. With commercial software, the vendor is responsible for software development, testing, and issuance of security updates both from a software quality and security perspective. They make their software available under a commercial software license and when they decide to stop supporting the software no new feature development happens.
In contrast, open source software is frequently developed by an independent team of developers who are often geographically distributed. This is often referred to as an open source community and is the heart of how open source development has grown. Unlike a vendor who needs to recruit and hire expertise, open source communities are dynamic and can tap into expertise that might be hard to find in a specific geography or that might be incredibly specialised (e.g., encryption expertise).
In addition to developers, open source communities include users of the component and it is the community that defines how the software evolves and what features are important to it. In effect, the “software roadmap” that product managers for commercial vendors maintain is maintained and managed by the open source community.
How prevalent is open source software?
Open source software usage has grown dramatically in recent years, in part as the community development model allows ideas to be explored in a distributed manner. This has allowed for key enabling technologies like Kubernetes to evolve into major platforms while concurrently tackling major problems like secure networking, performance management, and secure deployments at scale any one of which would normally be the province of a single vendor under a commercial model.
While many people think of open source in terms of installable software, there are far more foundational building blocks in open source software than marquee applications. Those foundational elements include mundane things like programming languages, application log managers, network stacks, and UI frameworks. Given the value of these building blocks, most commercial software includes some quantity of open source components. The net result being that its rare to find any software that is purely commercial.
What happens when a security patch is issued for open source software?
When a commercial software vendor needs to issue a patch or update to its software, it knows who its customers are and can proactively push a notification to them. Since open source software is freely downloadable, the community creating the software rarely knows everyone who is using it. This places the responsibility for patch management on the shoulders of the users who downloaded the software.
If those users do not have a process to monitor for new patches, it becomes easy for the software to become out of date which then increases the risk of a software supply chain attack. From an open source governance perspective, the lack of an update process is the largest risk element impacting users followed closely by a lack of visibility into where open source usage exists. After all, it is difficult to patch something you do not know you are running.
Will open source be everywhere?
Absolutely! While most businesses will not openly admit it, open source powers their operations and this dynamic is also true for governments and educational institutions. Whether an application is commercial, contracted, cloud-based, or open source, a portion of it will be based on open source technologies.
We have seen with president Biden’s Executive Order 14028 an increased focus on software supply chains, and those supply chains are largely open source. Properly managing the risk from a software supply chain starts with a comprehensive inventory of all software and from there a patch management strategy can be developed that not only looks at commercial applications but also at the layers of dependencies enabling the application.
The author is Tim Mackey, principal security strategist, Synopsys Cybersecurity Research Centre.
Comment on this article below or via Twitter: @VanillaPlus OR @jcvplus
