September 30, 2020

Debunking Open Source Software Security Myths

Open Source

There are many long-held, critical opinions regarding open source software security. But do these opinions reflect the modern reality of open source software? Or are they reflective of a past that no longer exists?

In this blog, we look at the current state of open source software security, debunk some commonly-held myths regarding open source risks, including concerns around longevity, testing, validation, and enterprise viability.

Is Open Source Secure?

First, creating an 100% secure software system is virtually impossible. Computers are incredibly complex machines, and all the consequences of programs written to run on them cannot be understood by even the best minds in IT.

Also, we must realize that there are thousands of unique OSS projects available for download. Perusing this vast landscape, one will quickly see that not all OSS is created equal. From OSS created by a high school student in their basement, to OSS developed by a consortium of some of the largest companies in the world, you can imagine that there would be a wide variability in both the quality of OSS and open source software security.

A Better Question

With that in mind, a more realistic question that IT managers, developers and system administrators want to ask would be; "Does the OSS project that I’m considering deploying into my organization’s infrastructure meet or exceed the minimum security requirements or policies that exist for all software used in production?” 

That question needs to be asked for every OSS project in consideration. For this reason, it is recommended that organizations institute OSS governance and management policies and practices to help to mitigate exposure to security vulnerabilities from OSS.

The OpenLogic Approach

Here at OpenLogic, before we decide to provide support for a particular OSS project, we employ a 42-point certification process that examines a wide range of aspects (how many developers, how many releases per year, how well documented, number of reported vulnerabilities, user base size, etc.) of the project in question. OpenLogic also provides a bi-weekly periodical called OpenUpdate to our customers, which contains valuable information on the latest security vulnerabilities found in the projects that we support.

When it comes to open source software security, a multi-faceted approach is always required to reduce an organization’s exposure to security incidents, so it is also important that companies follow security best practices and guidelines for all software used in production, commercial or OSS.  

Remember, the vast majority of security incidents are related to misconfiguration of software, not the software itself. To that end, OpenLogic provides advisory support to our customers on configuration best practices for their OSS to mitigate security risks.

My final point is to say that, in my opinion, OSS is no less secure than commercial or proprietary software.

Common Open Source Software Security Myths

Within the general concerns regarding open source software security, we typically see complaints centered around a perceived lack of testing and validation. 

In truth, mature open source software is rigorously tested and validated — often undergoing third-party evaluation and certification.

Let's unpack these two main complaints.

Myth #1: Open Source Software Isn’t Tested

Mature OSS projects adhere to rigorous testing processes before they are released. Open source projects that are part of a foundation like the Apache Foundation, the Linux Foundation, or  the Cloud Native Computing Foundation (CNCF), enforce strict processes and policies to ensure the highest quality of their software releases. For example, the Apache Test project is focused on designing test tools for the Apache HTTP Server.

However, the ultimate test for software comes when it is deployed in production environments to handle a wide variety of use cases. Considering that a great number of OSS projects have been used in many production environments for decades in thousands of organizations around the world, I would say that OSS projects are generally more well-tested than their commercial counterparts.

As a software development manager years ago, I used to tell my development team that the best software we have is the code that is running in production. Therefore our focus when starting a new project was to analyze existing production components to discover any opportunities for re-use.

With re-use in mind, a large number of OSS projects use other OSS components to implement their features. For example, most of the features included in the WildFly application server is provided by other OSS projects like Undertow, Infinispan and Artemis.

Myth #2: Open Source Software Isn’t Validated

Open source Java Enterprise Edition (JEE) application servers like WildFly must undergo a third-party evaluation process in order to be “certified JEE compatible”.

CNCF's Certified Kubernetes Conformance Program (KCSP) enables vendors to prove that their product conforms with a set of core Kubernetes APIs and are interoperable with other Kubernetes implementations.

The Linux Test project is a joint project started by SGI, and developed and maintained by IBM, Cisco, Fujitsu, SUSE and Red Hat and others with a goal to deliver test suites to the open source community that validate the reliability, robustness, and stability of Linux.

Again, the ultimate validation is how broadly a piece of software is deployed to solve a multitude of problems in companies around the world. The Apache HTTP server is the most widely used web server in the world. The Chrome web browser is used by millions daily. Linux is found everywhere, from the smallest servers, like IoT devices, to the world’s fastest supercomputers. Examples like these validate that these OSS tools are ready for prime time.

Other Myths Regarding Open Source Risks

Open source software security aside, many teams point to other open source risks as a barrier to adoption. Among those risks, people often express reservations surrounding the longevity of the OSS trend, and around OSS suitability for enterprise applications. But do these reservations hold any truth?

Let's take a closer look.

Myth #1: Open Source Software Is a Fad

With the increasing investment by companies and venture capitalists throughout the years, it is clear that OSS isn’t going anywhere anytime soon. Below is a list of some of the major investments made in the OSS arena over the years:

  • 1999 Red Hat is one of the first IPOs for an OSS company
  • 2001 IBM invests $1 billion into Linux
  • 2018 IBM acquires Red Hat for $34 billion (the largest software acquisition in history!)
  • 2018 Microsoft acquires GitHub for $7.5 billion
  • 2018 Salesforce acquires Mulesoft for $6.5 billion

Considering that investment in OSS seems to be growing exponentially, and it is being used in key parts of the mission-critical infrastructure of a vast number of companies, there is no going back to the proprietary ways of the past.

Myth #2: Open Source Software Isn’t Enterprise-Ready

As I mentioned earlier, OSS runs the gamut in terms of quality and security. Therefore organizations need to have processes in place to evaluate any given OSS package to ensure that it meets a set of minimum requirements for deploying it into their enterprise.

I’ve listed some of those suggested requirements above, but one of the key requirements would be “can I get immediate 24/7 professional support for this package if production goes down?”.

In those high pressure situations, relying on the community for answers may not be the best option. To address this issue, organizations can partner with OpenLogic to be provided with 24/7 support for many of the most widely used OSS packages in the world.

Moreover, as every package OpenLogic supports has been vetted by our certification process, organizations canhave the confidence that those packages are indeed ready to use in their enterprises.

Finally, many of the most popular open source projects had their inception within large enterprises. Kubernetes is a perfect example of this. Since being donated to the OSS community in 2015 by Google, forty-percent of enterprise companies included in the Cloud Native Computing Foundation’s biannual survey in 2019 reported that they’re running Kubernetes in production environments.

Below is a list of some other notable OSS technologies that had their start inside corporations:

  • Chrome - Google
  • Kubernetes - Google
  • Cassandra - Facebook
  • Apache Kafka  -  Twitter
  • Open Service Mesh – Microsoft

Additionally, Netflix has made many of the technologies it uses to run its business available as OSS.

Final Thoughts

With the above in mind, I believe that the debate over the enterprise viability of OSS is over. While open source software security is important, most open source technologies are no more risky than other kinds of software.

With OSS technology at the heart of the digital transformation revolution happening around the globe, Marc Andreesen’s famous declaration, “software is eating the world,” can now be re-stated as “open source is eating the world.” OpenLogic can help your business navigate this exciting but challenging landscape.

Get Dependable Support for Your Open Source Software

Open source documentation and forums can only do so much. Get support you can count on with comprehensive open source support from OpenLogic.

Talk With an Expert

Additional Resources

Looking for more information on opens source security? The resources below cover everything ranging from application security basics, to reported obstacles to open source adoption.

Related Resources: