Open-source software is the building block of modern applications. From web frameworks to encryption tools, these readily available components offer developers a wealth of functionality and accelerate development cycles. However, this convenience comes with a hidden cost and potential security vulnerabilities. Let’s delve into the security considerations surrounding open-source libraries, comparing the controls organisations have for code written in-house with the often murky security practices of open-source projects.

We’ve previously covered how you’re using more open-source than you realise and why your applications need a software bill of materials. If you haven’t read them yet, they are available at https://edwinkwan.com/2024/07/02/youre-using-more-open-source-than-you-realise/.

Application Security Controls

Most organisations invest heavily in securing the code that their developers write. This includes a multi-layered approach with controls implemented at various stages.

There’s security of the systems the developers use, such as endpoint protection, two-factor authentication and restricted administrative privileges to prevent malware infections and unauthorised code modification. Training is also provided in secure coding practices, like the OWASP Top 10, so developers have a base level of secure coding competency. Testing is regularly done on their written code and application using approaches such as unit testing, integrated and regression testing and practices such as Test-Driven Development (TDD). Lastly, there is also change control in place, such as performing code reviews and mandatory pull requests for code changes, promoting collaboration and catching security flaws before code is released to production.

These controls create a secure development environment, but does open-source software benefit from the same level of scrutiny?

The Open-Source Enigma: A Question of Control

The open-source community thrives on collaboration and transparency. However, this very nature presents security challenges. First, there are variable security practices as open-source projects often lack the resources to implement rigorous security practices found in commercial environments. There’s a huge volunteer dependence and security expertise within open-source projects can be scarce, with vulnerabilities relying on the community to identify and patch. The activities required to create secure projects such as careful testing, code reviews and issue triage might not be fun, interesting or motivating to those volunteers. All these factors make it difficult to guarantee a consistent level of security in open-source software.

According to the State of software supply chain report 19% of open-source projects perform code reviews and 18.6% of open-source projects were abandoned last year!

Procurement vs. Open Source: Due Diligence Disparity

Organisations meticulously assess security risks during the procurement of commercial software. Security questionnaires, penetration testing, scrutinizing vendor security practices and contract reviews are standard procedures. However, when it comes to open-source software, the approach is often less stringent.

There is limited due diligence, many organisations simply download open-source software without thoroughly investigating their security posture, relying on the software’s popularity as a security measure. There are also version control challenges where keeping track of the latest secure versions of open-source software can be a complex task, resulting in outdated and vulnerable versions often lingering in projects.

This disparity in due diligence exposes organisations to significant security risks when using open-source software.

The Cost of Insecure Open Source: A Walk Down Memory Lane

History is littered with examples of major security breaches caused by vulnerabilities in open-source libraries. Some notable ones include the Equifax breach in 2017 where a critical vulnerability in the Apache Struts framework, used by Equifax, remained unpatched, allowing attackers to steal the personal information of over 143 million people. There’s the SolarWinds Supply Chain attack in 2020 where attackers compromised a popular open-source network monitoring library, SolarWinds Orion, injecting malicious code that infiltrated numerous government agencies and private companies. And there’s the more recent Spring4Shell Vulnerability in 2022, a critical vulnerability in the widely used Spring Core Java framework that exposed applications to remote code execution attacks.

These breaches highlight the potentially devastating consequences of using insecure open-source libraries.

So how secure is open-source software? Open-source doesn’t have to be a security gamble, with the right strategies and adopting a proactive approach, it can be a powerful tool for building secure and innovative software.