In recent years, the adoption of open-source solutions has grown tremendously. It has multiple advantages. One of them, in many cases, is the low or no cost that it has, another refers to the possibility of contributing to its improvement or, customizing it to suit your needs. However, it is good not to neglect the risks involved in its adoption. Below, we will cite the main problems and what we could do to mitigate them.
What exactly does open-source mean ? In English it refers to open source. It means that any program that is presented as open source / open-source , the source code is made public. This, so that anyone can see it, contribute to its modification and distribute it according to certain rules.
With emphasis on the distribution of the programs, or re-distribution of the same, this represents a great advantage, especially for users, who will have more and more options. Millions of people around the world have voluntarily built large communities to keep those programs up-to-date and functional for users.
It is possible to find multiple lists of open source programs for all purposes, including computer security. Although it has been shown that these, in many cases, are much more useful and functional than traditional solutions, we must consider a series of risks. We must never rule out that the security programs themselves could further compromise our network infrastructure.
Exploits available to all audiences
Open source programs, whether or not related to computer security, allow the reception of information about detected vulnerabilities. The person or group of people responsible for the project that makes a program possible receives this information. Subsequently, it analyzes it and makes the vulnerabilities found available to the community.
In addition, the origin of such vulnerability and how it can be exploited are published. In some cases, this information is released in conjunction with the release of updates that act as a patch to what was detected. Of course, there are no guarantees that anyone who has installed a certain program will update it instantly.
A cybercriminal can take advantage of this risk, gaining context regarding the program’s vulnerabilities. You can find out which version of the program is affected and find a way to identify the number of users who have this vulnerable version. Consequently, you will be able to exploit those vulnerabilities to execute all kinds of attacks.
To minimize the risk of being attacked by this circumstance, it is recommended to be aware of news from the community of the open source program that you have adopted. It is extremely important to know what updates there are, what improvements have been made and much more. It never hurts to remember that outdated software poses a great risk of being victims of cyber attacks, even more so if it is open source.
Operational risks
The adoption of open source programs does not end with their installation and implementation. According to the Kali Linux Tutorials portal, the risk of opting for this kind of programs lies in how, when and what components are going to be used. The latter, assuming it is a solution with multiple components or modules. Those responsible for IT and / or Computer Security must guarantee that the programs are implemented homogeneously and update to the latest versions or, according to the case, apply the latest security patches.
It may be the case that you are in charge of a more complex infrastructure and you must choose different versions of a single program. This represents more difficulty when corroborating if it is necessary or not to make some type of correction or improvement.
On the other hand, if there are programmers who use open source programs, it is important that they are aware of all the security risks that their use implies. Therefore, they must be aware of good practices when working with this type of program. If programmers ignore these aspects, they will not only face multiple compatibility and usability problems.
The worst that can happen is that as a consequence of bad practices or not considering security risks, they are themselves responsible for putting the company’s infrastructure at risk. As mentioned above, we must ensure that anyone who can manipulate an open source program beyond the end user is aware of the risks so that everyone is handled equally in a secure infrastructure.
Lack of standards for its use
It can be affirmed without fear of error, that this is the most important risk. If we already come across one or more open-source projects, we will have noticed that there is no specific standard. Each project and its responsible team build one according to the end of said project. Likewise, each community formed by each project is responsible for ensuring that the good practices of the created standard are complied with and that misuse is avoided.
A potential difficulty that arises is that responsible programmers have different styles when carrying out their tasks. The programming activity is one of the most personal activities known in the technological field. The way to document, what kind of code editors they use and the kind of comments inserted in the code are some of the most personal activities. This can make it much more difficult to identify problems (bugs) and fix them .
The main recommendation when choosing open source programs is to ensure that the supporting documentation is of high quality. You must consider the most important aspects, from the first moment the program is installed to support for frequent problems or errors. Another point that we should consider is the activity of the community that has been built. What does this mean? If the forums that the program has are active in relation to the threads created, the number of responses they have. If the program has a repository on Github, check if there are constantly comments regarding the source code or updates.
On the other hand, if your company has standards that limit the implementation of open source programs, this will be even easier. This is due to the fact that the standards have documentation and processes that make it easier for us to review all the aspects to be considered before the implementation of this or that program.
Are all these security risks presented in programs that are not open-source ? In some cases. Should we use programs that are not open-source? Also, as well as “traditional” closed source solutions. There are solutions for every need and it is extremely important to know that not precisely because it is open-source, the program will work better or will not have any risk.
And you, what do you think should be more convenient? Using open-source or traditional programs? What other security risks do you encounter when implementing open-source solutions?