Open Source Software: Mitigating the Risks to Reap the Rewards

Despite evolving tremendously over the last 37 years, there remains an ongoing debate on the pros and cons of open source software.

pros and cons of open source

Initially developed by Richard Stallman in 1983 and popularized by Linus Torvalds in the early 1990s, open source software has evolved tremendously over the last 37 years. Although it started out as a niche practice, it became more mainstream in the 2000s. Its value was initially verified by Sun Microsystems’ $1 billion acquisition of MySQL in 2008, and more recently by IBM’s purchase of Red Hat for $34 billion last year. Now the most popular open source software, GNU/Linux runs on nearly 70% of web servers and is maintained by more than 15,000 unique programmers around the world. However, there remains an ongoing debate within the tech industry on both the pros and cons of open source software. We’ve taken a look at a couple of each and discussed below.

Pro: Rapid Innovation

Open source software enables ideas and potential applications to be formed within days, or even hours, instead of months or years. It’s similar to the popular toy, Legos. Users don’t have to invent all of the basic elements because the building blocks already exist, they just have to fit them in the right places. Plus, who doesn’t love to envision grand Lego designs?

Pro: You Can Leverage the Expertise of Others

Open source allows people to specialize when writing software for specific applications and to focus on their unique competitive advantages. Previously, users would have to be experts in many diverse software domains just to get a basic program working. Now, open source allows for ideas to take form with rapid experimentation and application assembly without any unnecessary friction. And with the introduction of Apple App and Google Play stores, there are now huge numbers of new developers, many of which rely on open source code in their apps.

Con: Monoculture Environment Creates Risk

From an attacker’s point of view, open source is a monoculture environment where there’s a much higher probability that every application stack has common code. This gives threat actors a non-zero percent probability that they have the ability to attack code without ever seeing it because they already know what it is. Clearly highlighting this risk –  in 2016, a single developer broke thousands of projects with just 11 lines of JavaScript, by pulling his published repositories that had become intrinsic in more than 2.5 million code pulls a month. Most current cyber strategies address the root cause of code insecurity the same way bloodletting treats the flu, they’re ineffective at best. Susceptibility of software being hijacked, combined with the monoculture nature of deployed software, means that, at low cost and with high returns, attackers can proliferate cyber weapons with impunity.

Con: Disjointed Code Management 

With open source, users don’t have accountability for each piece of code they use. Instead, they have to blindly rely on segments of code to perform as described, and this lack of insight often gets abused. How can you be confident that open source code is doing only what it says it does? The simple answer is you can’t be 100% confident. It’s basically like leaving your front door open and letting anyone into your home and trusting they won’t touch anything. Yet, most people are comfortable with this from a software development point of view. Many who work on rapid assembly of code either don’t know or conduct proper due diligence when leveraging open source. It’s a great tool, but it’s like passing out Ferraris to seven year-olds. With great power comes great responsibility.

Striking a Balance

All things considered, open source software offers endless possibilities and growth opportunities that the industry could capitalize on as it continues to evolve. However, its security must be prioritized in order for it to reach its full potential. Just like a flu shot helps prevent future cases of the virus from spreading by inoculating its host from the inside out, automated cybersecurity products that leave each system functionally identical, but logically unique, can significantly reduce risks by precluding exploits from spreading across multiple devices and networks. If cures to the open source “flu” can get perfected and ultimately adopted by those 15,000 GNU/Linux programmers across the globe, Mr. Stallman and Mr. Torvalds might strike more gold than initially thought.


SHARE
Doug Britton

Doug Britton is Chief Technology of RunSafe Security and a member of its board of directors. As RunSafe’s CTO, Doug plays an essential role in showcasing how RunSafe’s technology changes the economics of cyber defense, and he has been instrumental in driving the RunSafe technology strategy and roadmap, the development of its patent portfolio and IP strategy, managing software development teams, and building a world-class security research team.

Prior to RunSafe Security, Doug founded Kaprica Security which sold its Tachyon business to Samsung. He has also managed large-scale security research, reverse engineering, and exploit development programs for Lockheed Martin and SAIC. A trained computer scientist, Doug started his career in the National Center for Supercomputing Applications at the University of Illinois, before serving as a Russian Linguist and Interrogator in the US Army. He has also earned an MBA from University of Maryland and mentors several entrepreneurs and students launching their business.