The dream of open source software (OSS) is one that many consider a core tenant of the internet. However, while OSS is used by 78% of enterprises, the issue of security remains a persistent problem – particularly because there are a number of benefits to open source that enterprise organizations might be passing up.
Here’s what enterprises can do to embrace OSS products and services without compromising on security.
The challenges of security with OSS
Before we get into how enterprises can cope in the new security-sensitive world, it’s worth mentioning the challenges they’re currently facing.
1. It’s difficult to update legacy systems to combat new security threats
The longer a system has been in place, the harder it is to push updates to it to improve its protection and security. Older systems aren’t cloud-based, making updates difficult and time-consuming. What’s more, legacy systems often power multiple mission-critical processes, meaning they require exhaustive testing before a single update can go into a production environment.
Because of the iterative nature of cyber crime, it’s a little like comparing the evolutionary pace of a mammal to that of a virus – we’re not even talking in the same timescale.
The result is exactly what we’ve seen over the past 7-10 years — a significant uptick in major data and security breaches, often exploiting vulnerabilities in clunky legacy systems.
And for systems controlled by third parties where enterprise clients don’t have access to the source code, this problem is compounded.
By accessing the source code with OSS, this challenge is partially mitigated (more on that in a minute). But on the flip-side, everyone else has access to the same product, creating a frustratingly level playing field.
2. There’s heightened risk and perceived risk of cyber malfeasances
The second challenge of security today is the fact that the stakes have never higher and awareness about digital threats is rising. People are living more online than ever, storing more of their lives in a digital format. From photos to SIN numbers, the sheer volume of personal data out there makes it difficult to correctly defend it all. So the actual security challenges are more significant. Plus, with the added complexity around delivering an outstandingly simple user experience, security often takes a back seat. After all, who wants to undergo two-factor authentication every single time?
There’s also an increased perceived risk about security. People are more aware than ever of the ease with which their personal information could be exploited online, and are wary of enterprise companies. In 2015, Pew Research Center found security and privacy were deeply-held beliefs for most Americans. 74% thought it was “very important” to be in control of who can access information about them – which is the crux of digital security for enterprise organizations.
Given this situation of aging digital systems and a concerned public, what can security teams do to stay safe while leveraging OSS?
Start security hardening
Security hardening is essentially iterative design, but for security; you develop and build secure protection measures over time, rather than patching vulnerabilities as they come to light.
The idea is to streamline what a piece of software can do, who has access, and how many ports of entry there are to the barest of the bare minimum. The rationale, of course, is that the fewer doors your house has, the harder it is for a thief to break in.
There are four main categories of hardening:
- Code level: changes to the source code that removes potential vulnerabilities without changing how the software operates.
- Software process hardening: This replaces dev tools and compilers with code libraries. It’s often at this stage that security tests suites are developed and deployed.
- Design-level: These are security developments that impact the user to create a more secure environment. Activities can include anything from better access control or more authentication to more significant changes, like how processes move through and across systems.
- Operating environment hardening: Finally, there’s environment hardening. No software exists in a vacuum. They’re connected with a range of networks, OSS, libraries, APIs, and databases. However, this environment is, by its nature, extremely piecemeal, resulting in plenty of potential vulnerabilities. At this level, it’s less about fixing/preventing vulnerabilities than it is about making your specific connections and environments robust in the face of known and unknown problems.
With security hardening, enterprises can continually improve their security and get more on the evolutionary scale of the security breaches they’re trying to stop.
Address your plugins
Infosecurity reported in late 2016 that plugins were the final major security risk for enterprises. And with the use of public-facing OSS increasingly common for major organizations (particularly WordPress), plugins are a major vulnerability – even for veteran security hardeners.
The challenge, of course, is that each plugin opens another door into your secure environment that someone might find a way to exploit. And since even popular plugins are often created and run as relatively small projects, there’s a concern over continued improvement and support. The worst-case scenario is a plugin is used to satisfy a critical need but ends up unsupported, leaving the enterprise without the source code to maintain it themselves.
The result is a persistent vulnerability or a major (and expensive) change to replace it.
Of course, there is a flip-side. Plugins can be incredibly valuable to IT teams and users alike to solve thousands of problems.
How to take advantage of plugins (while controlling for risk)
First, understand where and how plugins are currently being used. Odds are, there are plugins that are quietly opening potential vulnerabilities in the system.
Second, carefully consider the pros and cons of custom, commercialized, and free plugins. While free plugins are tempting, they often go unmaintained with little or no recourse for their users. Paid plugins will generally offer more support (especially if purchased on a subscription model), but if that’s the route you’re going down, it’s important to include either source code escrow or a similar arrangement to ensure continuity of service.
Finally, you can build your own. While we don’t want to spark a ‘build vs buy’ debate, there are benefits to building your own, namely absolute control. However, the cost of maintenance also resides squarely with you too, so it’s often not economical for enterprise IT teams.
Plugins can be used effectively, even with secure open source platforms. However, that isn’t an invitation to download just anything from a plugin marketplace. There are a few things it’s important to remember:
- Check for updates. Most exploits are a result of out-of-date software. If a plugin hasn’t been updated recently, it’s a red flag.
- See who else is using it. Successful plugins will usually have a roster of big-name clients they shout about. Shop around and see who else is using it.
- Stick with best-in-class. At the end of the day, the best way to stay secure while still using plugins effectively is to just stick with big names. You want your plugin supplier to be big enough that they have the capacity to seek out vulnerabilities and patch them proactively.
- Use less of them. See if you can solve your problem with a code library instead.
Summary
Open source software is an integral part of the internet. Countless parts of the digital world are built on it, and it’s increasingly the platform of choice for enterprises.
This means there is a far greater focus on how they can grow and upgrade without compromising on security. Fortunately, with robust and iterative security hardening, careful platform selection, and an awareness of the common vulnerabilities, enterprises stand to gain all the benefits of OSS without opening themselves to unsustainable security risks.
