Time to Accept the Risk of Open Source?

John P. Gormally, SR
3 min readOct 20, 2022

--

Where is the real risk?

Accepting Open Source Risk

Accepting cybersecurity risk has become the norm for organizations. Even with extensive firewalls, IDS, email security, zero-trust, ransomware, identity threat, and business email compromise protection, attacks still have a substantial financial impact on organizations. Artificial intelligence, machine learning, blockchain, and quantum computing reduce risk. How many people worldwide are qualified in AI/ML for blockchain with a quantum background?

What is the True Risk of Open-source Libraries?

A critical risk element (the actual elephant in the room) is the continuous risk of open-source software, proprietary code, and legal risks. Do organizations need open-source code software products to meet their business transformation requirements and time-to-market, or using commercial software enough? Most organizations will say yes to needing open-source projects and OSS components. That decision becomes a greater risk to the organization exposing the organization to malicious code, impact from destructive elements, and corruption from the source code. Is open source a more considerable risk to the organization, or is failing to transform the business to be competitive in new markets a more significant financial risk?

CEO and COOs weigh this answer each day.

The cost of ownership for proprietary software licenses and the risk of using closed-source software also become a risk for the organization. Permissive license models also become a challenge for organizations to understand. A permissive license is considered to be public domain.

What is the obligation if the organization develops solutions based on an open-source library and alters the code to fit its business needs? MIT license, as an example, will allow the consumer of the open source to develop using the open source as needed.

Securing Open Source — Who is the Responsible Party?

Is secure open-source today? The source communities? That depends on the source components, exposure to code injections from malicious actors, and other cyber risks from hackers. As an example, Open Source Software (OSS) is not obfuscated. Therefore, it is easy to adapt the code base to suit your requirements. Also, anyone can identify errors and suggest improvements. Thus, OSS is more robust and secure than closed-source alternatives.

The type of source licenses also affects who secures open source. Ultimately, if the organization incorporates open source, they are the responsible party if a security breach occurs.

OpenSSF Consortium

Many open-source software vendors within the global development community are leveraging new frameworks, including the Open Source Security Foundation (OpenSSF). Many organizations, including GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation, and Red Hat, have incorporated this framework and served as founding members. These consortiums help in driving awareness, standards, and best practices.

Keeper of the Truth

Organizations must be “keepers of the truth” regarding open source, including third-party components within their DevOps application strategies. Developing a secured software development life cycle (SSDLC) and aligning with NIST-800–218 for software development are critical frameworks that will help reduce the risk of open-source coding.

Reducing the Open Source Risk

Hackers, opportunists, and inexperienced developers will continue to place vulnerable and exploited code libraries inside GitHub and other open-source depositories. Many hackers see the ease of use in code manipulation attacks within these depositories. GitHub and others have done an excellent job creating security awareness tools within depositories to notify developers and users of the potential risk and possible code compromise.

Organizations adopting the NIST-800–218 framework and a manageable and repeatable SSDLC process can reduce open source risk within their environment. Enabling application security during the development cycle and frequent pen testing and vulnerability scanning also minimize security risks.

Open source is a valuable and continuous capabilities organizations, industries, and consortiums need to continue to develop and make secure. Low coding, open source, and cloud orchestration are critical to upcoming Web 3.0, blockchain, and greater accessibility to cloud-based AI and ML analytics. Developing and developing a security culture around open source is essential to maintaining the integrity of future development and digital transformation strategies.

--

--

John P. Gormally, SR

John P. Gormally is a fictional and non-fictional cybersecurity blogger and writer based in Lake Forest California.