alex_aldo - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

Open source .Net: Are security risks higher?

Microsoft open sourced its .Net framework recently, and enterprises are concerned. Expert Michael Cobb explores if the fears of open source .Net are warranted.

The .NET framework has been open source for a while now, but was just recently attacked by hackers. Some security experts are saying because it is open source, it is more of a security threat than if it stayed proprietary code. Does an open source .Net really boost the chances of an attack on the framework? How can enterprises prepare for and defend against this?

November 12, 2014 was a landmark day in the history of Microsoft. The software giant, famous or infamous for its proprietary software, announced that .NET Core will be open source, including the runtime as well as the framework libraries, CoreFx. The .NET Core is a modular development stack that will be the foundation of all future .NET platforms and is cross platform, meaning developers can create .NET applications that can run on Linux and Mac operating systems, as well as on Windows.

There will have been a lot of in-house politics behind this decision, but a cross platform .NET will help Microsoft build a stronger ecosystem of .Net developers. The popularity of an operating system is to some extent dependent on the number and quality of apps that are available, and the growing popularity of open source development frameworks has reduced the circle of developers using .NET. The size and type of community behind an open source software project also greatly affects the security and quality of its code. The open source .NET Core is hosted on GitHub, to help with bug tracking, and other sources, such as User Voice and Connect. Microsoft's internal Team Foundation Server will also feed in improvements. This should mean there is a sizeable community of developers who can participate in code reviews, read design documents and contribute changes to the product. But this is a new paradigm for most .NET developers who may not all jump at the idea of contributing and auditing open source .NET code in their spare time.

Open sourcing the framework will increase the chances of hackers exploiting .NET applications in the short term, but after an initial outbreak of attacks exploiting newly discovered flaws, the code should stabilize.

Also, just because a program's source code is open doesn't mean that enough people with security expertise will constantly review it for weaknesses. Security vulnerabilities are not the same as bugs, and it requires painstaking research to create the unexpected conditions that allow code to be exploited despite OpenSSL's widespread use the Heartbleed flaw, which went unnoticed for a couple of years. Hackers will clearly be targeting .NET due to its popularity, so expect an initial flurry of exploits with exotic names to hit the headlines as the hacking community will have many fresh pairs of eyes and an incentive to find vulnerabilities before the .NET community.

There are no statistics or surveys that prove open source or closed source code is inherently more secure. But to answer the question, open sourcing the framework will increase the chances of hackers exploiting .NET applications in the short term, but after an initial outbreak of attacks exploiting newly discovered flaws, the code should stabilize. Until then, enterprises that rely on .NET applications should monitor the security bulletins provided by Microsoft to ensure they stay abreast of any new threats and advice on how to mitigate them. The .NET runtime has been bundled with the Windows operating system since Windows Server 2003, so most enterprises will have applications running somewhere that rely on it. Update asset registers now to flag software that is reliant on .NET so none are missed when an update is released.

The entire ASP.NET family of projects is under the stewardship of the .NET Foundation, an independent organization fostering the open development and collaboration of the .NET development framework. The team is very active and will review any issues and pull requests community and commercial developers wish to contribute; there is plenty of documentation on how to make contributions. Enterprise development teams should use the forum on .NET Foundation to monitor project governance, legal issues and code development to stay abreast of changes that may affect their own projects.

Next Steps

Learn how the open source security model is being undermined by a lack of resources

Find out how open source security tools can help enterprises get more out of their security budgets

Read more about why open source software security has experts concerned

This was last published in December 2015

Dig Deeper on Open source security tools and software