The U.S. House of Representatives Committee on Energy and Commerce recently released its Cybersecurity Strategy Report, in which the committee identified several key concepts and principles to address and prevent cybersecurity incidents.
“The support and stability of the open-source software (OSS) ecosystem,” ranked third among the top six priorities identified by the government. Recognizing that “modern information systems and products have continued to grow in scale, sophistication, and complexity,” the committee members wrote to the executive director of the Linux Foundation, Jim Zemlin, acknowledging that OSS has become part of the nation’s “critical cyber infrastructure.”
“It is the collective responsibility—and imperative—for business, industry, academic and technology leaders to work together to ensure that OSS is written, maintained and deployed as securely as possible, and [i]t is essential that the corresponding OSS communities are supported and properly enabled to be proactive enough to manage future security challenges that will arise over time,” the letter stated.
In large part, the security issues in OSS have been overlooked by everyone, yet few would disagree that there are security challenges that must be addressed.
Increasingly concerned about OSS-based attacks, Jason Glassberg, managing principal at Casaba Security, said that because the code is not very well-scrutinized, there are increasing security risks that often go unknown.
Security Problems in Open Source Software
Whether software is proprietary or open source, there are always risks, but for a long time many people functioned under the belief that more eyes on the code inherently elevated the code’s security. Until Heartbleed.
That’s not to say that proprietary software written behind the curtain can buy greater protection. It’s true that with OSS everyone has access to the code. Theoretically millions of eyes are looking at it, which makes it somewhat safer because more people have access to it.
“The problem is when it is used without rigorous controls. People risk using components they don’t understand, and when you are not controlling the end-to-end production of software, you may be introducing risks you don’t know about,” Glassberg said.
This lack of understanding is often the result of a lack of inventory, said Carlos Perez, head of threat R&D at TrustedSec. “Many people do not keep a list of the full OSS components they are using in their environments which means they don’t know they are vulnerable even after a vulnerability has been disclosed,” he noted, which was an issue recently when an attacker was publishing rights to EventStream.
Old Habits, New Concerns
Because OSS is easier and faster than building code from scratch, it has become much more widely used. “We’ve seen a marked increase in the development and usage of OSS, even from major players in the software world. Microsoft is making a huge push into the OSS sphere, and it looks to be that OSS is the future of development,” Glassberg said.
Because everyone is jumping on the bandwagon without really understanding the components their using, the risks have increased as well. In the committee’s letter, U.S. Reps. Greg Walden (R-Ore.) and Gregg Harper (R-Miss.) wrote, “Its pervasiveness also creates widespread, distributed, and common points of potential risk across organizations when OSS vulnerabilities are found.”
The Future of Open Source Security
It’s often said that, “it takes a village to raise a child,” and it will take an entire industry to make OSS as secure as possible.
“Once you realize the problem exists, you can look for ways to solve the problem,” Glassberg said. As the committee recognized, there are ongoing efforts, such as the Linux Foundation, to transition from the Wild West to a more structured and firmly established process on how things are updated and developed.
“As more of these efforts become mainstream, the process will be much more organized for updates and patches,” Glassberg said.
But the subject needs to be discussed more openly. The industry needs to come together, and Perez said organizations such as NIST and CERT can have great influence when it comes to creating standards for inventory and testing.
The reality is that if you have a problem, you have two choices: either hide it or release a fix to it and move on. “That’s the whole beauty of the white hat movement,” Glassberg said. “It’s always better to have bad news come from friends rather than enemies because the bad news is coming one way or the other.”
Fortunately, the future of the security industry will provide lots of opportunities to build friendly relationships with security researchers, according to a new report, “Inside the Mind of a Hacker,” from Bugcrowd.
“Cybersecurity isn’t a technology problem, it’s a people problem—and in the white hat hacker community there’s an army of allies waiting and ready to join the fight,” said Casey Ellis, founder and CTO at Bugcrowd.