Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Open source: Big benefits, big flaws

Taylor Armerding | June 16, 2015
While open source is now a dominant force in IT, experts warn that the things that make it attractive – it is free, open, customizable and overseen by a community of users – can also make it risky. In short, it may not be for everyone.

binary code open source

Given the dominance of open source in the IT marketplace, any significant debate over its value might be considered moot.

As Eric Cowperthwaite, vice president, advanced security and strategy at Core Security, told CSO recently, "Open-source code has conquered the world."

Indeed, its advantages are multiple, compelling and well known. Among the most compelling are that it is free, it is open to everybody, users can customize it to fit their needs and there is a community of thousands — perhaps millions — of eyes on the code to spot bugs or flaws so they can be fixed quickly, before they are exploited by cybercriminals.

When the source code is, "open to the world, you are going to have multiple eyes viewing the same configuration," said Andrew Ostashen, security engineer at Redspin, "so if issues arise, the owners will be able to remediate faster."

Still, world conquerer or not, a number of security and legal experts, while they agree in general with Ostashen and are not issuing blanket condemnations of open source, continue to warn both organizations and individual users that it is not perfect, or even the right fit for everybody.

It is critical, they say, to be aware that some of the characteristics that make it so attractive also make it risky. Obviously, if the flaws in code are exposed for all to see, criminals can see them as well. And even millions of eyes on open-source code is not a guarantee that every flaw will be found and fixed.

"There have been claims that open source software is inherently more secure due to the openness and 'millions of eyes that can review the source code," said Rafal Los, director of solutions research at Accuvant. "This was thoroughly debunked by bugs like Heartbleed and others."

Indeed, Kevin McAleavey, cofounder and chief architect of the KNOS Project, somewhat sardonically refers to it as "open sores."

"Open source publishes the source code, and many eyes claim to review it, thus exposing any possible bad code," he said. "And yet ... Heartbleed. The defective code was right there for those 'many eyes' to spot since its release in February 2012, yet nobody spotted it until more than two years later, after the exploits had become overwhelming."

Another example he and others cite is the "Ghost" exploit in GNUTLS, which dates back to 2005 but was discovered only last year.

"Again, nobody ever spotted that one either until after exploits were piling up like cordwood," McAleavey said. "There was also the "Shellshock' exploit in the BASH shell, which similarly was published, seen by many eyes and dates back to version 1.03 since 1989."

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.