Demo
Learn how Cobalt’s Pentest as a Service (PtaaS) model makes you faster, better, and more efficient.
Demo
Learn how Cobalt’s Pentest as a Service (PtaaS) model makes you faster, better, and more efficient.

Risks of Open-Source Software

This article provides an overview of what open-source software is and its history. Core Pentester Ninad Mathpati explains that open-source software is any program whose source code is made available for use or modification and is developed as a public, open collaboration.

What is Open-Source Software?

Open-source refers to any program whose source code is made available for use or modification as users or other developers see fit. Unlike proprietary software, open-source software is computer software developed as a public, open collaboration and made freely available to everyone.

The source code for open-source software is made available under a license that allows users to modify and distribute the software freely.

Open-source software is typically developed by a community of volunteers who work together to improve and enhance the software. This collaborative approach allows for rapid development, innovation, and transparency that is not present in proprietary software.

examples-of-open-sourced-software

There are many benefits to using open-source software. It is typically free to use and distribute. This can save organizations money on software licenses and maintenance fees. Additionally, open-source software often has a large and active community of users and developers, which can provide a wealth of resources and support. 

It is used in various industries, including education, government, healthcare, and finance. Some examples of popular open-source software include the Linux operating system, the Apache web server, and the MySQL database management system.

History of Open-Source Software

Programmers and developers shared software in the 1950s and 1960s to learn from each other and evolve the field of computing. Unix, for example, provides users with access to the operating system source code. During the 1970s and 1980s, the open-source notion was pushed aside by the commercialization of software.

Despite this, academics often collaborated on software development. Among the early examples are Donald Knuth in 1979 with the TeX typesetting system and Richard Stallman in 1983 with the GNU operating system.

examples-of-open-sourced-software

As a result, they coined the term "open source," which was quickly adopted by Bruce Perens, Tim O'Reilly, Linus Torvalds, and others. To promote open-source principles and encourage the use of the new term, the Open Source Initiative was founded in February 1998.

Despite the Open-Source Initiative's best efforts to spread the word and evangelize its principles, commercial software vendors were increasingly threatened by the concept of freely distributed software and universal access to source code.

Advantages of Open-Source Software

There are many advantages to using open-source software. Some of the main benefits include:

Cost: It is typically free to use, modify, and distribute. This can lead to significant cost savings compared to proprietary software, which often requires the purchase of a license.

Flexibility: Open-source software can often be customized and modified to meet a user's or organization's specific needs. This flexibility can be especially useful for organizations that must tailor the software to their specific workflow or requirements.

Collaboration: Open-source software is developed through a collaborative process, which can result in a more robust and high-quality product. This collaboration can also make getting help with problems or issues easier, as a large community of users and developers can often provide support.

Security: Because the source code for open-source software is available for anyone to review, it can be easier to identify and fix security vulnerabilities. This can make open-source software more secure than proprietary software, which may have vulnerabilities that are not visible to the general public.

Innovation: Open-source software can foster innovation by allowing developers to build on and improve existing software rather than starting from scratch. This can lead to developing new and improved software products that benefit many users.

Disadvantages of Open-Source Software

Overall, open-source software can offer many benefits, including cost savings, flexibility, collaboration, security, and innovation, but there are a few potential disadvantages:

Limited support: While a large community of volunteers may be willing to help troubleshoot problems, open-source software may have a different level of support than proprietary software.

Lack of a single point of contact: With proprietary software, users typically have a single vendor or provider to contact for support and assistance. With open-source software, it can be more challenging to identify the appropriate point of contact for support.

Compatibility issues: While open-source software is often designed to be compatible with many systems, there may be compatibility issues with specific hardware or software.

Limited functionality: Some open-source software may not have the same level of functionality as proprietary software, especially in a niche or specialized areas.

Lack of professional development: While a large community of volunteers may contribute to open-source projects, fewer professional developers may work on the software, which can impact its development and maintenance.

Potential legal issues: It is important for users of open-source software to be familiar with the specific license terms associated with the software and to ensure that they comply with those terms. Please do so to avoid legal issues.

Risks Associated with Open-Source Software

Open-source software can present some security risks if not used and maintained correctly. Some potential risks include:

Vulnerabilities: Like any software, open-source software can contain vulnerabilities that attackers can exploit. It's essential to keep open-source software up to date with the latest security patches and to follow best practices for secure configuration and use.

Example 1: Heartbleed Vulnerability

One example of a significant open-source software vulnerability is the Heartbleed bug, which affected OpenSSL open-source encryption software. The Heartbleed bug was a security vulnerability in the OpenSSL software that allowed attackers to access sensitive information, such as passwords and private keys, from the memory of systems using the affected version of OpenSSL.

security-vulnerability-OpenSSL-software-example

This code needed to properly check the length of the data being read from the BIO (a type of input/output buffer) before copying it into the ssl_pw_buf buffer. As a result, an attacker could send a large amount of data to the server, causing the server to return sensitive information stored in memory, such as passwords and keys.

The vulnerability was quickly patched only after it had been exploited on several systems. It's essential to review regularly and test code for vulnerabilities like this to ensure the security and integrity of open-source software.

Example 2: GHOST Vulnerability

GHOST affected the GNU C Library (glibc) in 2015 and the Drupalgeddon2 vulnerability, which affected the Drupal content management system in 2018. Both of these vulnerabilities allowed attackers to execute arbitrary code on affected systems, potentially giving them access to sensitive information and the ability to take control of the system.

open-source-software-vulnerability-example

This code needed to properly check the return value of the __readv function, which reads data from a file descriptor into a buffer. As a result, an attacker could send a maliciously crafted request to the server, causing the server to return sensitive information stored in memory or execute arbitrary code.

Lack of support: Some open-source software may have a different level of support than proprietary software, making it more challenging to get help with security issues or other problems.

Lack of visibility: The source code is not publicly available with proprietary software, so no one outside the company can review it for security issues. With open-source software, the source code is available for anyone to review, which can be beneficial from a security perspective. Still, it can also make it easier for attackers to find and exploit vulnerabilities.

Dependencies: Open-source software often relies on other open-source libraries and components, which can introduce additional security risks if those dependencies have vulnerabilities. It's important to carefully manage dependencies and keep them up to date to reduce the risk of vulnerabilities.

Exploits are publicized: Since OSS code is freely available, its issues are also visible to the public. Whenever component vulnerabilities are discovered and shared, they could be exploited against other projects using the same components.  As a result, bad actors can quickly discover vulnerabilities and execute targeted attacks. It can be used against enterprises if their code isn't well maintained.

License Management: Although OSS code is free to use, there are specific licensing terms to follow. The violation of OSS licensing terms may result in legal action and the loss of exclusive intellectual property rights.

It's too common for companies to develop digital services without knowing which OSS licenses they use; companies must follow license terms to avoid legal pitfalls.

Complications of Acquisition

OSS vulnerabilities will appear sooner or later; that's how they are. The lack of awareness of vulnerable components can complicate mergers and acquisitions. 

A quality source code is important to investors and acquisition companies when they request a review of your underlying code for legal compliance, security, and performance.

The inability of companies to provide documentation or demonstrate they use reliable code can lead to delays or disruptions in potential business deals.

It can have severe consequences for developers, technology leaders, and companies. It is especially problematic for fully digital companies that rely entirely on applications and services connected to the internet.

Code Management: In many cases, developers select OSS libraries without considering their track record, health, or viability.  

This benefit is that it saves a lot of time and effort. However, developers often need to check security and licensing requirements, which can lead to serious problems. Furthermore, they don't consider the transitive dependencies that come with these libraries, which might pose security risks.

Overall, open-source software can be a valuable tool, but it's important to understand and manage the potential security risks associated with its use. As your software becomes more complex, monitoring its security and stability can become increasingly difficult as these components grow.

Best Practices to Prevent Risks in Open-Source Software

Organizations can follow several best practices to avoid risk when using open-source software.

Use reputable sources: It's important to use reputable sources when downloading and using open-source software. This can help to ensure that the software is of high quality and has been properly reviewed and tested.

Keep track of licenses: It's important to keep track of the licenses associated with the open-source software you use. This will help you ensure that you comply with the terms of the license and avoid any potential legal issues.

Use an open-source policy: Having a clear open-source policy in place can help ensure that your organization uses open-source software responsibly and sustainably.

Conduct due diligence: Before using any open-source software, it's important to conduct due diligence to ensure that it meets your organization's needs and is appropriate for your use case. This may involve reviewing the source code, software testing, and any relevant documentation.

Consider using a tool for managing open-source licenses: There are tools available that can help to automate the process of tracking and managing open-source licenses. Using such a tool can help to reduce the risk of using open-source software.

Stay up to date: It's important to stay up to date with the latest developments in the open-source software world. This may involve subscribing to relevant newsletters, following relevant blogs and social media accounts, and attending industry events.

Adopt DevSecOps and shift left: Software testing is typically performed at the end of a software development process. The smartest teams are rethinking this approach, and many are integrating security with DevOps.

It is commonly referred to as "shifting left," as you catch security vulnerabilities earlier in the process, thus saving time and money. Your security team can also benefit from improved collaboration as a result.

devsecops-image

It is also important to incorporate evaluation steps for project quality and safe open-source licenses early in the process to avoid legal risks and rework.  

The shift to the left is also an excellent way to ease developers into a security mindset and empower them to take more responsibility for vetting software and proactively closing gaps.

Environment Monitoring: There is no such thing as set and forget when it comes to OSS code. In addition, the OSS code must be constantly monitored, and security patches must be applied as soon as possible. This way, you can identify small problems before they become major ones.

Conclusion

Despite these benefits, it is important to carefully evaluate the security of any open-source software before using it, as it may not receive the same level of security testing and review as proprietary software. In addition, it is important to keep open-source software up-to-date and to follow best practices for securing systems that use open-source software.

In conclusion, while there are risks associated with using open-source software, these risks can often be mitigated through careful planning and management. By understanding the risks and taking appropriate precautions, organizations and individuals can successfully incorporate open-source software into their systems and processes while maintaining strong security.

References

https://www.veracode.com/security/dangers-open-source-risk 

https://www.resourcespace.com/knowledge-base/open-source 

https://blog.sonatype.com/5-key-open-source-security-risks-and-how-to-prevent-them 

https://securityboat.in/open-source-security/

New call-to-action

Back to Blog
About Ninad Mathpati
Ninad Mathpati is a Cybersecurity Enthusiast and Hacker with an ethical mindset. He has been working as an Application Security Engineer for 4+ years with core interest in Web, Mobile Application Security, Network Security, API Security, Source Code Analysis, and Thick Client Pentesting. More By Ninad Mathpati
How a SaaS Startup Scaled Growth with PtaaS & SOC 2 Compliance Automation
How Neural Payments uses pentesting and SOC 2 compliance automation to set themselves up for security posture success.
Blog
Apr 13, 2022