pixel_dreams - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Is open source security software too much of a risk for enterprises?

Before using open source security software, enterprises should consider the security risks. Expert Mike O. Villegas discusses what to do before using open source software.

A while back, Netflix released its own open source threat monitoring tools. For organizations like Netflix that...

have proprietary programs, is it a good idea to make their security tools open source? It seems like that would open the tools up to hackers and, as a result, open the organization up to more security risks.

Although free, there are many institutions that are reluctant to use open source software, for obvious reasons. Using open source software that is not controlled by the enterprise -- in production environments and in mission-critical applications -- introduces risks that could be detrimental to the basic tenants of cybersecurity, such as confidentiality, integrity and availability. This includes open source security software like the tools Netflix uses.

After Microsoft first made their .NET software open source, Chase Cunningham, Ph.D., threat intelligence lead at Armor (previously FireHost Inc.), told SearchSecurity that it is natural that hackers would target open source software.

"Any time something is put out in the open net for all to share and use, it will be ripped apart and re-engineered, as well," Cunningham said "And in the cyber realm, typically, this means flaws will be found and exploited. The more popular the tool or software, the more likely it is to be targeted or used for purposes outside of its actual intended use."

In March 2016, Azer Koçulu, an open source contributor to the NPM Registry, a public collection of packages of open source code for front-end web, mobile, server side and internet of things applications, removed his source code for one of his modules, named Kik, after being threatened by lawyers of an instant messaging app of the same name to remove or rename it. The result was disastrous.

One of the dependencies for Kik was left-pad, which thousands of enterprises worldwide relied on for its production environments. NPM was forced to re-publish this 11-line code module, an action without precedence. The Kik IM lawyers also submitted an obligatory apology stating that this was nothing "more than a polite request." Arguably, this is a rare exception, but it still brings to question the reliance enterprises have on open source software.

Netflix's open source threat intelligence software captures real-time event data from several hundred sources for data analytics on streaming data. This is valuable to many companies that would otherwise "have to pay tens of thousands of dollars to market analysts to gather less actionable information about a competitor than gather from that competitor's website today," says Marc Demarest, a principal at Noumenal, Inc., an international management consulting firm.

Today, more organizations -- including government entities -- are adopting open source software (OSS) alternatives to commercial software. So how should an enterprise decide whether to use open source security software? Clearly there are cost benefits in using OSS, but enterprises should:

  • Perform due diligence in their research of open source security software tools.
  • Ensure the risk of using open source security software is significantly less than its commercial alternative(s).
  • Use file integrity monitoring tools to be alerted of any changes to open source security software code for proper vetting or follow-up.
  • Require stringent change control and back out procedures for all updates of in-house open source code modifications.
  • Ensure strict testing is performed in a test environment prior to propagating open source security software into the production environment. This should include, where appropriate:
    • Unit testing;
    • System testing;
    • Stress testing;
    • Environmental testing;
    • Secure code testing; and
    • User acceptance testing.
  • Include open source software in your contingency plans in the event that the code is no longer supported, maintained or has undergone unauthorized modifications at the OSS source.

Above all, make sure that management is fully aware of the enterprise's use and reliance on open source software. They should understand and accept in writing the risks associated with using OSS.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn how to securely deploy open source code for cloud

Understand the legal risks of using open source software

Discover how to spot security flaws in open source web apps

This was last published in September 2016

Dig Deeper on Open source security tools and software