How secure is open source software? Do you use open source software or have software written for you? If so read on… UPDATED

When we undertake any cyber security survey, and we ask about software, we know the greatest amount of work we will have to do, is when the client says “we had this written for us” or we use this “open source software”. (We will not get into Android apps or WordPress plugins here!)

If it is a product like Apache OpenOffice, we will breathe a little easier as it has a big company behind it – providing some measure of security. However when we start to look further a field, to independent software writers, using a range of open-source modules in their packages, we want to see some form of cyber security management in place to keep track of issues and updates in these modules. Just look at the Log4j/Log4Shell issue – this has had, and will have an ongoing impact on cyber security with companies like VMware right in the eye of the storm.

There are two obvious issues with open source software:

  • A threat actor manages to embed malicious code inside fully functional software, code module, or framework – which goes undiscovered.
  • A vulnerability in an open source app or package goes undiscovered by the various developers who work on the project – whilst the threat actors exploit it.

I am sure there are are more.

But can we live without open source software?

This paper by Chinmayi Sharma looks at the issues, benefits and the risks associated with open source software – if you use any, or have software written for you, I suggest you read it:

Open-Source Security: How Digital Infrastructure Is Built on a House of Cards – Lawfare (lawfareblog.com)

Updated 29 July 2022

Here is how LibreOffice deals with the problem

LibreOffice is an branch of OpenOffice, it is open source and supported. Here is an article looking at security updates in the package:

LibreOffice addresses security issues with macros, passwords (bleepingcomputer.com)

Here is a real world example of the malicious abuse of open source software

The Node Package Manager (npm) is a JavaScript programming language repository and a prime target for threat actors.

Malicious npm packages steal Discord users’ payment card info (bleepingcomputer.com)

Clive Catton MSc (Cyber Security) – by-line and other articles

References

Sharma, C. (2022). Open-Source Security: How Digital Infrastructure Is Built on a House. Lawfare. Retrieved July 28, 2022, from https://www.lawfareblog.com/open-source-security-how-digital-infrastructure-built-house-cards

Chinmayi Sharma is a Scholar in Residence at the Robert Strauss Centre for International Security and Law and a Lecturer at the University of Texas at Austin School of Law. 

Further Reading

Log4Shell – Wikipedia

Open source software – Smart Thinking Solutions

software code 200