A while back, Netflix released its own open source threat monitoring tools. For organizations like Netflix that...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
have proprietary programs, is it a good idea to make their security tools open source? It seems like that would open the tools up to hackers and, as a result, open the organization up to more security risks.
Although free, there are many institutions that are reluctant to use open source software, for obvious reasons. Using open source software that is not controlled by the enterprise -- in production environments and in mission-critical applications -- introduces risks that could be detrimental to the basic tenants of cybersecurity, such as confidentiality, integrity and availability. This includes open source security software like the tools Netflix uses.
After Microsoft first made their .NET software open source, Chase Cunningham, Ph.D., threat intelligence lead at Armor (previously FireHost Inc.), told SearchSecurity that it is natural that hackers would target open source software.
"Any time something is put out in the open net for all to share and use, it will be ripped apart and re-engineered, as well," Cunningham said "And in the cyber realm, typically, this means flaws will be found and exploited. The more popular the tool or software, the more likely it is to be targeted or used for purposes outside of its actual intended use."
In March 2016, Azer Koçulu, an open source contributor to the NPM Registry, a public collection of packages of open source code for front-end web, mobile, server side and internet of things applications, removed his source code for one of his modules, named Kik, after being threatened by lawyers of an instant messaging app of the same name to remove or rename it. The result was disastrous.
One of the dependencies for Kik was left-pad, which thousands of enterprises worldwide relied on for its production environments. NPM was forced to re-publish this 11-line code module, an action without precedence. The Kik IM lawyers also submitted an obligatory apology stating that this was nothing "more than a polite request." Arguably, this is a rare exception, but it still brings to question the reliance enterprises have on open source software.
Netflix's open source threat intelligence software captures real-time event data from several hundred sources for data analytics on streaming data. This is valuable to many companies that would otherwise "have to pay tens of thousands of dollars to market analysts to gather less actionable information about a competitor than gather from that competitor's website today," says Marc Demarest, a principal at Noumenal, Inc., an international management consulting firm.
Today, more organizations -- including government entities -- are adopting open source software (OSS) alternatives to commercial software. So how should an enterprise decide whether to use open source security software? Clearly there are cost benefits in using OSS, but enterprises should:
- Perform due diligence in their research of open source security software tools.
- Ensure the risk of using open source security software is significantly less than its commercial alternative(s).
- Use file integrity monitoring tools to be alerted of any changes to open source security software code for proper vetting or follow-up.
- Require stringent change control and back out procedures for all updates of in-house open source code modifications.
- Ensure strict testing is performed in a test environment prior to propagating open source security software into the production environment. This should include, where appropriate:
- Unit testing;
- System testing;
- Stress testing;
- Environmental testing;
- Secure code testing; and
- User acceptance testing.
- Include open source software in your contingency plans in the event that the code is no longer supported, maintained or has undergone unauthorized modifications at the OSS source.
Above all, make sure that management is fully aware of the enterprise's use and reliance on open source software. They should understand and accept in writing the risks associated with using OSS.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Learn how to securely deploy open source code for cloud
Understand the legal risks of using open source software
Discover how to spot security flaws in open source web apps
Dig Deeper on Open Source Security Tools and Applications
Related Q&A from Mike O. Villegas
Privacy and information security can often be at odds with each other in enterprises. Expert Mike O. Villegas explains how C-levels can help to get ...continue reading
Effective CISO communications are key to fostering a healthy relationship with the cybersecurity staff. Expert Mike O. Villegas reviews some ways to ...continue reading
The brief tenure of a federal CISO in the U.S. government recently came to an end. Expert Mike O. Villegas discusses the effect this has on the U.S. ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.