Open-source software (OSS) refers to a computer program that is designed to be publicly studied, distributed, and modified by anyone and for any purpose.
Even if you are not a computer programmer or feel indifferent about the idea of open source you are most likely using it in some form every day. From the Firefox browser to Linux operating system. From WordPress, which is used to develop websites to Android, the leading mobile operating system. It is estimated that companies on average use 250 open-source software applications or components. A 2022 industry study found that 97% of all software contains some amount of open source.
OSS: Clarification of common misconceptions
There are several misconceptions about OSS, which we hope to clarify.
Open-Source Software is less secure since anyone can read code and find mistakes
It’s true that code is accessible and can be examined by anyone. But most hackers will look for an easier way to identify vulnerabilities than analyzing thousands or sometimes millions of lines of code.
On the other hand, many more eyeballs will review the code and report issues. Therefore, the process of finding and fixing bugs may take less time than with proprietary software. The transparency of the open-source software is a security benefit, not detriment.
Most open-source developers take pride in putting their best foot forward, demonstrating code that utilizes security and maintainability best practices.
Bad actors can intentionally create vulnerabilities
In most cases, the original project team members not only take development roles on the project but also act as a reviewer gate for any new components from external contributors.
To reduce risk, learn about the project and its contributors. A single developer is performing most open-source projects. Having a Gmail address is not sufficient to determine the character and legitimacy of the people involved. You must investigate and learn more about them.
While proprietary software developers are usually interviewed and have their references checked, this does not guarantee the absence of bad actors on the team.
Lack of financial support makes open-source software less secure since no time or money is available
It is true that many open-source software developers struggle to be compensated for their creations and continue their work for the love of their craft or to demonstrate their skills and abilities.
Remember that the reputation of maintaining bug-free software is on the line. Many open-source developers will rush to immediately address any issue that has been identified.
On the other hand, a number of open-source projects have been able to provide a substantial revenue stream to development teams. For example, Firefox generated $441 million in royalties in 2021.
Pros and Cons of using open-source software:
PROS:
Item | Description |
Cost | Little or no upfront cost. No usage cost. Using open-source software can provide a significant amount of cost savings |
Modifiable Code | Unlike proprietary software, OSS allows developers to add, enhance, or remove features according to business requirements |
Licensing Flexibility | There are numerous license types associated with OSS. Open source does not mean there are no restrictions on the software. There are: MIT, GPL, BSD licenses. Make sure that the license you choose is compatible with your intended utilization of the software |
Reliability/Security | Most of the OSS contributors are expert developers. In addition to that, the number of users of open source is much greater than corresponding proprietary applications. The issues reporting mechanism is open to the public.Therefore, bugs will be fixed as soon as possible |
CONS:
Item | Description |
Support | Community members usually provide OSS support. However, support requests might not be answered in a timely manner or resolve your issue. OSS support is not equivalent to the dedicated support model with extensive documentation that may come with proprietary software licensing |
Usability/Design | In most cases, the user interface is better, and the features list of proprietary software is more significant than in OSS software ‘out of the box’. But if you need specific functionality, OSS might remove bloatware that a number of proprietary software products are famous for |
Orphan Software | The original developer(s) might lose interest in the project or move to another project resulting in the OSS application being non-maintainable. Of course, this can happen with proprietary software also (discontinued applications), but this typically happens less often. On the other hand, if OSS has been abandoned, you can hire a developer to maintain and/or modify the original application |
Security | OSS developers may be unknown individuals whose public or professional profile is unavailable. Some of them might create malware in their applications |
Summary
Open source is here to stay and to be utilized.
It is a critical public asset equivalent to transportation infrastructure. Therefore, governments should partner with the OSS community to investigate options to support and sustain it and make it more secure.
When utilized in your organization, it is vital to document the version of open-source software that has been used. Test your applications on a regular basis. Testing will catch and report if there is an older version of open-source software or components that have security risks that need to be patched or addressed.
Just because you performed penetration testing 3 months ago does not guarantee your security today.
You don't have the latest security defenses if you're not using the latest components.
“Test early --- and test often”
Comments