- Everyone Knows What "Cybersecurity" Means
- We Can Measure How Secure Our Systems Are
- The Primary Goal of Cybersecurity Is Security
- Cybersecurity Is About Obvious Risks
- Sharing More Cyber Threat Intel Will Make Things Better
- What Matters to You Matters to Everyone Else
- Product X Will Make You Secure
- Macs Are Safer Than PCs, Linux Is Safer Than Windows
- Open Source Software Is More Secure Than Closed Source Software
- Technology X Will Make You Secure
- Process X Will Make You Secure
- Faerie Dust Can Make Old Ideas Magically Revolutionary
- Passwords Should Be Changed Often
- Believe and Fear Every Hacking Demo You See
- Cyber Offense Is Easier Than Defense
- Operational Technology (OT) Is Not Vulnerable
- Breaking Systems Is the Best Way to Establish Yourself
- Because You Can, You Should
- Better Security Means Worse Privacy
- Further Reading
This chapter is from the book
This chapter is from the book
This chapter is from the book
Open Source Software Is More Secure Than Closed Source Software
There is a belief that making source code available for all to see will result in fewer bugs. In a related manner, it is believed that closed source software, such as Microsoft Windows, means fewer people can audit, discover, and fix vulnerabilities. This has not made open source software immune from serious issues. Yet, the myth remains that open source products make us more secure.
In March 2012, a new feature was added to the hugely popular open source library, OpenSSL, which is used in most web servers and browsers. The implementation of RFC 6520 contained a flaw that went unnoticed for two years. In April 2014, Google discovered and privately reported the bug to the OpenSSL team, and a fix was released six days later. CVE 2014-0160 was better known as Heartbleed.
In May 2022, the Python library CTX was hijacked and modified so attackers could steal users’ Amazon Web Services (AWS) keys.45 CTX is not a library created to communicate with AWS servers. Instead, it’s a library that manages a core feature of Python called dictionaries. The library was last updated by the developer in 2014, so most people probably considered it pretty stable and a useful library. Unfortunately, it was open to abuse, and someone modified it. At about the same time, it was discovered that a popular library used in PHP was also hijacked. In both cases, the code was open source and widely used. In both cases, the source was available for anyone to look over, but that did not prevent the attacks.
Some commercial, closed systems are developed by people paid to consider security and robust operations, whether they think it is a chore or not. The result might be code with fewer vulnerabilities than Open Source Software (OSS). Several systems evaluated at the highest levels under the TCSEC and successors, such as Scomp, GH INTEGRITY, and GEMSOS, are not OSS. They have been thoroughly examined and tested to provide very high assurance operation but are not free or open source.
Open source can mean faster security fixes, but not always. When a bug is discovered and fixed in OpenSSL, that fix does not automatically propagate to every software package. If our website uses the Apache Web Server, Apache needs to incorporate the new OpenSSL library, and then we need to update our installation of Apache. Three years after Heartbleed, for example, there were still more than 144,000 Internet-facing web servers unpatched to the bug.46 In short, a patch is not the end of a security incident. It’s simply the start of cleaning one up.
Open source indeed encourages transparency and community input; however, because it exists in the open does not necessarily mean that security experts are looking at it. There is evidence that the people who have access to open source are more active in creating new code and extensions than auditing existing code. One recent study showed that OSS developers spent less than 3% of their time working on improving security.47 They described working on security as a “soul-withering chore and a subject best left for the lawyers and process freaks” and an “insufferably boring procedural hindrance.” With some estimates that OSS makes up 70% of current software applications, these results should cause serious concern.
Avoiding this myth means accepting that open and closed source software are both vulnerable but that there might be more vulnerabilities in some OSS. Software development is difficult, and users must be motivated and diligent about patching.