How secure is open source software? Do you use open source software or have software written for you? If so read on… UPDATED

When we undertake any cyber security survey, and we ask about software, we know the greatest amount of work we will have to do, is when the client says “we had this written for us” or we use this “open source software”. (We will not get into Android apps or WordPress plugins here!)

If it is a product like Apache OpenOffice, we will breathe a little easier as it has a big company behind it – providing some measure of security. However when we start to look further a field, to independent software writers, using a range of open-source modules in their packages, we want to see some form of cyber security management in place to keep track of issues and updates in these modules. Just look at the Log4j/Log4Shell issue – this has had, and will have an ongoing impact on cyber security with companies like VMware right in the eye of the storm.

There are two obvious issues with open source software:

A threat actor manages to embed malicious code inside fully functional software, code module, or framework – which goes undiscovered.
A vulnerability in an open source app or package goes undiscovered by the various developers who work on the project – whilst the threat actors exploit it.

I am sure there are are more.

But can we live without open source software?

This paper by Chinmayi Sharma looks at the issues, benefits and the risks associated with open source software – if you use any, or have software written for you, I suggest you read it:

Open-Source Security: How Digital Infrastructure Is Built on a House of Cards – Lawfare (lawfareblog.com)

Updated 29 July 2022

Here is how LibreOffice deals with the problem

LibreOffice is an branch of OpenOffice, it is open source and supported. Here is an article looking at security updates in the package:

LibreOffice addresses security issues with macros, passwords (bleepingcomputer.com)

Here is a real world example of the malicious abuse of open source software

The Node Package Manager (npm) is a JavaScript programming language repository and a prime target for threat actors.

Malicious npm packages steal Discord users’ payment card info (bleepingcomputer.com)

Clive Catton MSc (Cyber Security) – by-line and other articles

Do you want to know more?

References

Sharma, C. (2022). Open-Source Security: How Digital Infrastructure Is Built on a House. Lawfare. Retrieved July 28, 2022, from https://www.lawfareblog.com/open-source-security-how-digital-infrastructure-built-house-cards

Chinmayi Sharma is a Scholar in Residence at the Robert Strauss Centre for International Security and Law and a Lecturer at the University of Texas at Austin School of Law.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Updated 29 July 2022

Here is how LibreOffice deals with the problem

Here is a real world example of the malicious abuse of open source software

References

Further Reading