blvdone - Fotolia

Manage Learn to apply best practices and optimize your operations.

Open source software security: Who can you trust?

Fears of backdoors and heightened concerns about encryption software are running rampant.

Cybersecurity remains a top source of contention between the United States and China.  As a result, U.S. technology companies have increasingly faced market pressures in China as local suppliers capitalize on the cyber uncertainty.

In addition to lower costs, Chinese server supplier Inspur Group Ltd. is banking on the specter of Edward Snowden to increase its market share in China. Snowden's legacy of doubt is still floating around and fanning government concerns about NSA surveillance and possible backdoors in the technology sold by U.S. companies. IBM, Hewlett-Packard and Microsoft are among the tech giants that have faced hurdles in China.

Chinese government officials raided Microsoft offices in Beijing, Shanghai, Guangzhou and Chengdun in July in an ongoing antitrust probe. They “banned” Windows 8 on PRC government systems for “security reasons” in May, amid speculation that the move was driven in part by the official end of Windows XP support.

And yet these safeguards should come as no surprise. In March, reports surfaced that linked the NSA to surveillance of the Chinese Trade Ministry, specific officials and network equipment supplier Huawei. According to leaked documents, the NSA had gained access to email archives and even source code for specific Huawei products.

Fears of backdoors and heightened concerns about who to trust are running rampant, and not just between China and the United States. The security audit of the open source file-and-disk-encryption utility TrueCrypt was a step in the right direction, but the information security industry needs to do more, according to Robert Richardson, editorial director of SearchSecurity. “Whether TrueCrypt is fit to use or not, its audit and demise raise key questions about security in open source software,” he writes in his thought-provoking column “Open source needs serious security help.”

As open source code faces increased scrutiny, information security professionals would do well to heed the lessons of Heartbleed.

Open source code faces increased scrutiny, and information security professionals would do well to heed the lessons of Heartbleed, agrees Michael Cobb, SearchSecurity's respected authority on application security. “As the Heartbleed flaw in the OpenSSL cryptographic software library has shown, relying solely on others to correctly implement and deliver security can put enterprise and customer data at risk,” advises Cobb, in this month's cover story on application security post-Heartbleed.

The success of open source software hinges on “trusting” the development community. The abrupt end of TrueCrypt's development in May was also attributed, on SourceForge, to “potential security issues” after Microsoft's termination of Windows XP support, in part because later versions of Windows offer built-in support for encrypted disks.

But is that really what happened? If the answer is based on trust, most of us will never know.

About the author:
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath.

Send comments on this column to [email protected].

This was last published in September 2014

Dig Deeper on Open source security tools and software