When looking to acquire software, your organization might consider using open-source software (OSS). OSS uses publicly available source code and may seem more affordable and flexible than other software options. Although the initial acquisition and onboarding are affordable, OSS can introduce vulnerabilities and security risks to your organization.
The ongoing management of these risks and vulnerabilities, as well as related security incidents, can lead to significant losses for your organization. This publication outlines the risks related to OSS and the steps your organization can take to minimize them.
On this page
Defining “open source”
“Open source” refers to an approach for creating computer programs using publicly available code that has been licensed by the original authors so that anyone can see it, modify it, and distribute new versions of it. Software developers create open-source code through voluntary collaboration. Developers can extend open-source code to create new standalone products or to add new functionality to existing software products.
Examples of open-source products include Google Chrome and Firefox web browsers. Because OSS is publicly available, anyone can make changes to the existing open-source code. This makes it easy for users to customize OSS to suit their business needs by adding, removing or modifying capabilities.
Risks of using open-source software
Before you acquire and implement OSS, it is essential that you conduct assurance activities. This will allow you to continue to protect the security of your organization’s networks, systems and information.
Not all OSS carry the same level of risk. In fact, many commercial IT security products have open-source components worked into their code. For example, companies that manufacture IT security products with cryptographic functionality use OpenSSL, an open-source cryptographic library.
Consider the following risks before you implement OSS in your organization.
Excessive access
Open access means the code is available to everybody. This creates opportunities for cyber threat actors to manipulate the code for malicious purposes. OSS can also present threat actors with opportunities to gain access to your networks and information.
Lack of verification
There is no guarantee that qualified experts conducted proper testing and quality assurance throughout an OSS’s development, or that those who reviewed the code did a thorough security check. This lack of verification can make your IT infrastructure vulnerable.
Lack of support
Most OSS do not have dedicated support and are reliant on the project community to maintain, report and patch the OSS for any known vulnerabilities. Without a dedicated support team, updates and security patches may not be available. Cyber threat actors can exploit these vulnerabilities to gain access to your organization’s network, systems and information.
Open-source software development lifecycle
An OSS approach is built on the values of collaboration, transparency and community-oriented development. The development lifecycle for OSS includes:
- collecting requirements
- designing
- implementing
- testing
- releasing
- maintaining
OSS is released to the public as soon as the project team gets it running, even if it contains bugs. OSS often depends on public inspection and review to improve the product over time. Volunteers test the software and then report bugs and suggest fixes. The project team uses this feedback to develop and release updated software. This process happens as many times as needed to improve the software and release more stable versions.
Security is not necessarily incorporated into the design and development of OSS. This may lead to vulnerabilities and introduce risks to your organization.
Many large organizations support OSS projects. However, these projects may rely on work conducted by smaller, volunteer-run OSS projects. For smaller OSS projects, volunteers may have less time to fix problems or conduct security testing. Also, these projects may not receive the funding needed to hire expert security auditors.
Improving the security of open-source software
Secure-by-design initiatives urge software creators to increase the safety of their products, including OSS, before releasing them to the public.
Building security into the OSS design and lifecycle increases safety for users. OSS developed using memory-safe languages such as Rust and Python can be less prone to vulnerabilities.
Protecting your organization
To protect your organization from the risks of OSS, make sure you have an OSS security framework. Here are some recommendations for what your framework should include.
Supply chain security
Address supply chain security considerations as part of your organization’s OSS strategy. Understand supply chain risks and their implications on your environment.
Software bill of materials and open-source software tracking
Continuously track all OSS running in your environment. Monitor public disclosures of vulnerabilities and align with your patch management strategies accordingly.
Request a software bill of materials (SBOM) for all software, including projects that are not open source, to understand the implications of vulnerability disclosures on your environment.
Secure deployment
Secure deployment of OSS is as important as its development framework. Understand and take advantage of an OSS’s security features before its deployment. If security protections are insufficient, conduct a security assessment to identify potential mitigation measures, or reconsider using the OSS.
Licensing risks
Understand the OSS’s licensing and copyright restrictions to avoid legal contraventions. Some OSS may require attribution, while others may have sharing or usage restrictions. Ensure there are no jurisdictional legal implications for your data.
Considerations for using open-source software
Ultimately, OSS should align with your organization’s overall IT strategy. Here are some factors to consider when using OSS.
Before acquiring new software
Your organization should determine its risk tolerance level. When your risk tolerance is clearly identified, you can narrow down software choices and pick the products that meet your business needs and security requirements.
Before installing new software
Your organization needs procedures to detect and mitigate vulnerabilities. These can include:
- proactive software security testing
- software update vetting
- removal of deprecated protocols
- security hardening
- incident response monitoring
Always test software before installing it. Continue to test software throughout its lifecycle, such as when it needs to be updated or patched. Continuous monitoring and testing can reduce the risk of exploitation.
When using open-source software
Manage all OSS using the same procedures and tools that you use for commercial products. Train your employees on cyber security best practices to help them use and manage software products securely. Consider identifying security champions within your organization to advocate for safer and more secure practices.