If the vulnerability in OpenSSL known as Heartbleed shook the users of open source software, then confidence needed to be regained in its use.
Another recent vulnerability in OpenSSL is Drown, which allowed an attacker to break the encryption and read or steal sensitive communications, and may have impacted up to 22% of servers. Speaking with Mike Pittenger, VP product strategy at Black Duck, a company which helps organizations to manage and secure their open source software, he called Drown a “serious vulnerability” but said that it represents a problem in open source. “The fact that a bug has been disclosed doesn’t mean it gets fixed immediately, as systems get fixed years later,” he said.
Pittenger explained that the discussions on how secure open source is in comparison to commercial software are often “a religious battle”, and regardless of how many eyes are on the code, the bugs are taken care of long before they are in the wild.
“Some characteristics in open source bugs present a target rich environment and attackers have access to source code, and it may be trivial to test code across systems,” he said. “The biggest thing is that the support model for open source is the opposite of what we are used to and if you build an application and use a commercial or open source component, if you have a service level agreement with a commercial company and a bug is discovered they push a patch to us, with open source it is the opposite as it is up to us to do all the support.”
Pittenger said that with open source, it is difficult to keep track of what you use and over 2014 and 2015, 6000 bugs were reported in the National Vulnerability Database. Also since Heartbleed, Pittenger said that there were a lot of people “running around with their hair on fire trying to figure if they use it”, while there have been 60 vulnerabilities in OpenSSL since then.
Open source has been given the thumbs up by the US government, and with more and more open source projects available, Black Duck has tracked over 1.5 million in its 13 years of business.
The company provides software that is integrated into the build process and scans customer software for open source components, and delivers an inventory of what open source software is used.
“If you think about 6000 vulnerabilities reported, what you believe is what's secure today may not be tomorrow,” he said. “Once a vulnerability is disclosed, a user gets an alert if they are vulnerable. The standard practice for Heartbleed was to take Nessus and run it on your network; our users went into the Black Duck Console and typed in ‘OpenSSL’ to see what was using it, and determine the exploitability.
“Everybody wants to use open source as there is a lower development cost, and you need to know what you are using and need to have awareness on what is vulnerable to address.”
Pittenger, a co-founder of Veracode, said that Black Duck focuses on what the security tools miss, but if 50% of your code base is open source and poorly suited for identifying known vulnerabilities, then you need to know what open source software you’re using and check against the database to complete the security picture.
I asked him if open source is being used more by businesses than proprietary software, and Pittenger said it is being embraced and he does see projects with robust communities and positives outweigh the negatives, but no commercial vendors are saying that their code is bug free, but nor are open source vendors. “The key is awareness and visibility for when something happens,” he said.
“We have not seen evidence for more/less secure, but the benefits that open source provide continue to drive adoption and encourage its use, but it allows people to be more nimble and get applications out faster and with continuous integration, we expect to grow in popularity and use.”
I spoke with Al Nugent, CISO of Acquia, who operate in the Drupal CMS and have a million active members. Nugent told me he is biased as he has been supporting and using open source since the mid-1980s and like any software development methodology, you have got to be vigilant with performance and scalability.
“Like other organizations who mix and match technology, we are concerned about the whole thing and we use other open source in our environment and run on Linux,” he said. “We also build our own technology and like the old adage of building security in rather than to build it later on, we really look to the community who think about it at the design phase, and think about making it secure.”
Nugent said his catchphrase is “security first” as he sees users interested in security, but not for their own sake, and it takes a lot of risk out of the sphere of the user and manage it on behalf of the customer.
I asked Nugent about the US government’s support for open source, and he called it an important and serious thing, and I asked him what the CISO’s view of open source is. “We have over 4000 users and several hundred are highly secure and all everyone wanted to talk about was open source, and wanted to talk about some of the new areas that are developing for internal intranet,” he said.
“That is one instance and there is an interest, but there is a desire to move to embrace open source. It is driven by cost, but also a strong sense that something that is not a proprietary software product and is driven by so many people and will help them.”
As he had been dealing with open source since the 1980s, I concluded by asking Nugent if he felt open source had a strong future. He said yes as he had seen the evolution of it, and he took pride in the growth in its security.
“It is one thing to enter a movement at the end, and another to grow it from infancy and often it is more secure than you expect it to be and I take pride in that,” he said. “The spirit of collaboration is being transparent and what communities are about is demonstrating proficiency and excellence and millions of people act that way, and are proud of what they have done.
“Even knowing all of that, it is still my job to make sure nothing gets in. That is my job and I do it for my company, but to quote Ronald Reagan he said “trust but verify”, and we also verify what something is supposed to be doing all of the time.”