When it comes to security, the general focus has always been around restricting access to prevent unauthorized intrusion into something. Whether locking a house’s physical doors or sealing an organization’s digital network, security has always focused on creating a closed environment. However, over the past few years, this closed-door approach to security has been challenged by the advent of open source software and hardware, where organizations rely on publicly available code to deploy within their networks and build applications.
The Open Source Evolution
Open source involves organizations using open and freely available code and it has become increasingly popular today, with recent data from the Synopsys Open Source Security and Risk Analysis Report revealing that 78% of code in codebases today is open source.
When thinking about the benefits of open source, not only is the code free to use, but it offers organizations more transparency because they can see the source code they are using and assess its security for themselves.
They can also see changes made to the code and collaborate with developers to improve it. Additionally, because so many organizations are using the same piece of code, bugs and weaknesses are often identified faster and the community of users will provide expert advice to remediate them. This means there are more good eyes on the code, which are all motivated by the same objective to make it as secure as possible.
One of the most prominent organizations to back open source is Tesla, with its CEO, Elon Musk, opting to open source its code back in 2018. Musk recognized that the world’s future will be heavily reliant on electric cars, but for the vehicles to succeed, people needed to be invested in their security. In response, Musk open sourced Tesla’s software, allowing others to build their cars on its foundations, feeling confident in its security.
Musk was following in the footsteps of many other organizations, including Facebook, Microsoft and Google, which had all reaped benefits through open source projects. Not only are these tech leaders opening their networks up to security researchers through bug bounties and security assessments, but they are also funding open source projects and have teams dedicated to open source initiatives.
"The Digital Security by Design (DSbD) program will radically update the foundation of the insecure digital computing infrastructure by creating a new, more secure hardware and software ecosystem"
For example, the Digital Security by Design (DSbD) program will radically update the foundation of the insecure digital computing infrastructure by creating a new, more secure hardware and software ecosystem. The DSbD program has already delivered the first hardware implementation of DSbD technology as a prototype system on chip (SoC) and development board, Morello. Developed by UK-based Arm, the Morello board is a real-world test platform for the Morello prototype architecture developed by Arm, based on the University of Cambridge Computer Lab’s CHERI protection model.
CHERI aims to provide practically deployable performance and compatibility, requiring only minimal changes to existing software and hardware: recompiling existing C/C++, with mild adaption, can protect pointers with capabilities. This combines hardware implementation, a complete software stack and adapting widely used open-source software to improve security and encourage testing.
The open-source mindset is one the aviation industry has recognized for years. When aviation incidents happen, airlines do not hide behind them; instead, the whole aviation industry works together to investigate the incident and build safer planes. This community spirit has led to air travel being the safest mode of transport today.
However, it is certainly not free from risks.
So, what are the key risks and how can these be overcome?
Open Source Risks
One of the biggest risks with open source is when it isn’t managed or updated frequently, which can put its users at risk.
While users of the Tesla open-source software can rest assured that its code will be thoroughly managed, for smaller and inexperienced developers, this isn’t always the case, especially since they are giving away something for free.
If the code isn’t updated and no one is responsible for updating it, no one can be held accountable when things go wrong. In the end, it will just end up plagued with bugs and vulnerabilities that will put its users at serious risk. In fact, the recent Synopsys OSSRA report revealed that 81% of open source code contains vulnerabilities.
As a result, when organizations evaluate open-source software and hardware, it is essential to carry out due diligence and analyze the quality of the product and get to know the people who created it before introducing it to an organization’s architecture.
Find out who is in charge of modifying and updating the code and ensure they have the resources, commitment and time to carry out essential security updates; otherwise, risks will undoubtedly unfold in the future.
This is also one of the key reasons governments worldwide are evaluating open source and considering regulating the industry. The proposed regulations would ensure open source projects have owners and that they are responsible for updates. However, this could hamper the market with fewer developers wanting to get into open source due to potential regulation breaches.
Moving Forward with Open Source
Open source offers real security benefits to organizations by pulling together expertise from different sources to develop better and more secure products. However, organizations must do research before deploying open-source code into their networks.
It is also essential for organizations to have an internal manager to ensure security is being maintained and that updates are being carried out quickly. Developers who understand open source security and how to manage open source components are the best people to manage internal open source projects.
So, is open source the greatest path to security? It all depends on the project, but it certainly offers businesses many unsurpassable security benefits when done well.