Has the Altruism Model of Open Source Security Peaked?
With an executive order, the Biden administration attempted to address concerns around open source software’s security. In Section 4 of Executive Order 14028, Improving the Nation’s Cybersecurity, open source and the software supply chain was specifically mentioned, with a requirement for “ensuring and attesting, to the extent practicable, to the integrity and provenance of open source software used within any portion of a product.”
The federal government recognizes the need for better security across the OSS supply chain. Open source security was also a very hot topic at RSAC2023. But has open source in security hit its peak, and if so, what does that mean for security?
This question was posed a few years ago in an academic study, and one of the concerns was not so much that we’d use open source software less but that the philanthropy and altruism that fueled the OSS movement and drove the creation of code has dissipated.
“The researchers found that most open source projects are inactive and that most inactive projects never receive a contribution again,” TechDirt reported on the study. “The . . . research might be an indication that the open source community, which has selflessly given so much for decades, is showing signs of altruism fatigue.”
This decreasing interest in working with open source code is going to change how organizations use it, and it could end up opening even more security holes.
Closing the Holes in Open Source
“It’s a moment of change,” said John Bambenek, principal threat hunter at Netenrich. “Time will tell whether it continues or not.”
Of course, the alternative to depending on OSS is to write all code from scratch, and few organizations have the resources to do that. So, for now, it seems, we’ll continue along a familiar path.
“Code will either be used from open source repositories where there is hope to secure it and manage it,” said Bambenek, “or it will come from copy-pasting from Stack Overflow where there are no tools to manage it.”
Rather than shying away from the open source community and the risks of vulnerabilities found in the code, commercial and government organizations are finding ways to address those problems. Some commercial organizations pay folks internally to contribute to outside projects, for example, and some corporations have initiated their own OSS projects to share with the community.
“It’s cheaper to pay someone to enhance a wheel than it is to re-invent it from scratch,” said Ingrid Olson, principal, application security at Coalfire.
Weighing the Pros and Cons
There are a lot of advantages to using open source: Accelerating technology development and, in many cases, improving software quality due to the community involvement in code review and the flexibility it offers developers, said John Anthony Smith, CEO at Conversant Group.
But security remains the wild card, and what can be a point in favor of open source is also a strike against it.
“The code is equally visible to both the good guys (security researchers) and the bad guys (the attackers), so vulnerabilities can be found by either,” said Smith. “Security researchers are incentivized to report these through the proper channels to have them patched; threat actors, of course, have the opposite incentive.”
Open source code with vulnerabilities can be—and too often is—widely adopted, especially by small development teams with unsophisticated threat identification and remediation processes. Because many of these smaller companies are part of the supply chain for larger corporations, the exploitable flaw makes its way through global channels.
“However, we can build an argument that the onus is always on developers to understand the threat landscape and patch; proprietary software is not necessarily more secure than open source, so having an established process is essential,” said Smith. “Generally, closed source code is safer based on the fact on the vulnerabilities often take more effort to discover.”
OSS projects will always have a place in software. It’s a great learning environment for those just entering their coding career or to those who want to brush up on their skills or gain experience. But as the awareness around open source’s weaknesses broadens, will they shy away at trying to fix vulnerable or malicious code? It’s a question without a solid answer now, but it is likely that we hit the peak of what open source community was and are now shifting into a new era.
