Open Source Code: Minimize the Risk, Enjoy the Benefits
In July 2011, users of OS Commerce got an unwelcome reminder of the need to update their open source software. The Willysy malware, which targeted a weakness that programmers of the e-commerce system had patched the year before, spread to over 6 million websites in just a few weeks. A simple software upgrade could have protected all of them from attack.
As the Willysy incident shows, open source software code can harbor critical vulnerabilities. Yet that is no reason to forgo the speed, cost effectiveness and flexibility that open source technology can bring to the right project. With proper attention to precautions such as updates, open source can even be more secure than closed source options.
Open Source Vulnerabilities—Should You Be Concerned?
Hackers and malware can afflict virtually any kind of software, and open source code is no exception. A recent study conducted by Aspect Security found that more than a third of the software in 31 popular open source code libraries contained known vulnerabilities.
This doesn’t mean closed source is necessarily safer than open source code. While closed source code is hidden from attackers, this “security through obscurity” offers only the illusion of security, as cybercriminals can use automated and manual methods to find many weak points even when the code is unavailable.
In addition, many more programmers examine popular open source code, so vulnerabilities can be discovered, publicized and fixed far more promptly. Open source developers also tend to respond faster to threats. For instance, when the Apache Killer attack tool began shutting down servers in August 2011, Apache administrators quickly alerted users, issued workarounds and had a fix ready a week later.
Even so, any piece of code—whether open or closed source—can contain weaknesses. Even if a large number of programmers work on it, only a minority may be focused on rooting out security flaws. And as with all software code, even as old vulnerabilities are discovered and patched, additions and alterations to the code can allow others to creep in.
The Importance of Updates
Simply through timely updating, you can head off a surprising number of threats. The right software can aid in this effort. Almost all Linux-based operating systems such as Red Hat and Debian can detect, download and verify updates. You can also set them to apply updates automatically, or to notify administrators to do so. In addition, the Maven development tool makes it extremely easy to obtain updates once they are known.
The best solution for updates is to implement a thoughtful, cohesive updating process, possibly with the help of an outside firm. Some small patches may only require brief testing before they are incorporated and deployed—but for more significant updates, you may need to make changes to your application code and conduct more extensive testing.
That said, you don’t need to apply every update that comes along. Your application may not be vulnerable to the particular issues that are being patched, and other mitigation strategies may be easier.
With Third Party Libraries, Put Safety First
Third party code libraries can hold unexpected traps for the unwary. For example, the open source Google Web Toolkit (GWT) allows compilation of Java code into JavaScript, and JavaScript enables programmers to make some exceptionally risky coding decisions if they aren’t careful. The answer to this problem is not to avoid GWT or JavaScript, but to understand how to use them safely.
In applications that combine open source libraries with closed source code, the latter is often the single biggest source of exposure. Unfortunately, many programmers are not aware of best practices for reviewing code and spotting vulnerabilities. If an application is especially crucial for your business, it may be a good idea to have outside experts conduct a code audit.
Taking Charge of Your Security
Security concerns, in themselves, should not dissuade businesses from taking full advantage of open source technology. Closed source code may be ideal for certain projects and businesses, but open source will work perfectly for others. Indeed, the use of open source code can cut costs, speed up development and allow approaches that might not be possible with closed source software.
No matter what type of solution you choose, your business will avert many risks by taking a proactive approach to detecting and fixing vulnerabilities. Even basic precautions can go a long way to defending your systems from malicious activity in cyberspace—and enabling you to make the most of the options at your disposal.
