Last month security CrowdStrike published the kind of blog post that no IT security manager wants to read.
It found a critical virtual machine escape vulnerability that the company named VENOM, which affected a number of open-source hypervisors, such as QEMU, Xen, KVM, VirtualBox and many derivatives of these products.
CrowdStrike worked with the major infrastructure providers for weeks before revealing its find and the situation appeared to have been quickly contained.
In the post, Dmitri Alperovitch, co-founder and CTO of CrowdStrike, wrote:
"I'm very pleased to see how the community came together in a collaborative and effective way to rapidly create and deploy patches before this vulnerability could be exploited in the wild …There were numerous dependencies between vendors and patches that had to be worked out and coordinated. This experience highlights the continuing need for a better and more clearly defined process for identifying dependencies and coordinating vulnerability disclosure between open-source projects and vendors that integrate that technology."
Open source software (OSS) has its fans — and rightly so. Some of them though, unfortunately, tend to view security through a rather narrow prism. They assume it is safer than conventional software because it is peer reviewed and because, for many of these developers, these projects are a labor of love.
To be sure there is validity to that argument.
That hasn't stopped errors before as the above example illustrates, along with other incidents.
We've Seen This Before
There was last year's Heartbleed virus, possibly open source's lowest moment. One error exploited in the OpenSSL cryptography library affected hundreds of millions of websites.
Security breaches have reached a critical and hugely expensive mass — over the past year the cost of data breaches due to malicious or criminal attacks has increased from an average of $159 to $174 per record, according to the newly released Ponemon Institute's 2015 Cost of Data Breach Study: Global Analysis.
For that and other reasons, it is worth revisiting open source software security.
Issues Worth Considering
1. Engineers are human
Balázs Scheidler, CTO of BalaBit, views open source software as a labor in love and thinks the peer-review process is as close to perfect as any process can be. Still, he told CMSWire, these engineers are human, too. And they can get lose inspiration and motivation.
All security issues begin by an engineer missing a detail or some aspect in the system that affects the code he is writing in unexpected ways. "If the team loses interest though and engineering loses the artistic motive, it can easily become a 9 to 5 job, deteriorating quality."
2. There is no "bad" person to blame
For clients or users of a product, there is something psychologically satisfying about being able to identify a "bad" person who caused a breach. Conversely, in a peer review process there is a feeling of safety that if a mistake slips by that person, it won't slip by the next.
'Somebody besides me has checked this' is the pervasive operational position of most companies, Philip Lieberman, CEO of Lieberman Software, told CMSWire.
With commercial software packages, there is a clear 'throat to choke' or somebody to blame if you will, if a security flaw is found. It can be a great motivator, he added.
3. No one is safe — no one
A lot of companies fall back on magical thinking anyway when it comes to security, says Brad Taylor, CEO of Proficio.
"The threat landscape has changed, but many companies have not changed their approach to security," he told CMSWire. "Some organizations falsely assume they are not on the radar of hackers and they do not need to protect their data." Security must be a 24x7 operation, he said.
4. Beware of outside factors
By now, security is hardly a new subject that needs to be introduced to IT. They are well aware of the risks and vulnerabilities. Unfortunately IT doesn’t always have full control over the company's tech environment.
They often need the input – or at least attention --- from legal and corporate management to create policies. Often they don’t get it, Bill Weinberg, senior director, Black Duck Software told CMSWire.
"Software is too often considered an "engineering-only" concern," he said.
Also, organizations tend to vastly underestimate their real level of OSS consumer and deployment, especially if there has been a recent merger or acquisition at the firm. "In these situations we often find there is a big gap between the perceived and actual use of OSS."
5. OSS can be as safe as anything else on the market
"It's well documented that Linux publications can be downloaded with vulnerabilities already built in by hackers," Richard Blech, CEO of Secure Channels told CMSWire.
So is OSS safe, you ask? Maybe — As long as the right precautions are taken to safeguard against pre- and post- deployment compromises.
These include, Blech said, leveraging "trusted" systems to acquire the operating system, reviewing the checksum information for validity, ongoing administrative upkeep, locking down the system to service its specific purpose, and most importantly protecting the data at its core with deep encryption throughout the systems.
Simpler Media Group, 2015