Open source software security

The security of open source software is a key concern for organisations planning to implement it as part of their software stack, particularly if it will play a major role.

The security of open source software is a key concern for organisations planning to implement it as part of their software stack, particularly if it will play a major role.

The main concern is that because free and open source software (Foss) is built by communities of developers with the source code publically available, access is also open to hackers and malicious users. As a result, there could be the assumption that Foss is less secure than proprietary applications.

Another concern is that the Foss community might be slower to issue critical software patches as vulnerabilities emerge.

Foss proponents claim these anxieties are unfounded and open source can match shrink-wrapped and proprietary software for security and, in some cases, offer greater security.

Andrew Fourie, UK country manager at unified threat management firm Astaro, says it is a myth that Foss carries too high a security risk to use in the enterprise. He says: "Many IT decision makers have a knee-jerk reaction to open source software, especially when it comes to security. They believe [Foss] is fine for do-it-yourself technology geeks working in their basements but for businesses, OSS is unproven, complex and risky.

"Open source critics attack the stability of the platforms as not ready for widespread adoption due to their ever-changing natures as they evolve by contributions to their features and code. They criticise open source for requiring so many patches to stay secure."

But he adds: "The argument that open source must be risky, since it requires so many patches, is countered with the explanation that by having so many individuals working with the source code of these projects, potential vulnerabilities and design flaws are uncovered much faster than with programs built on proprietary code."

Fourie also points out that open source software is already part of most commercial IT infrastructures, with open source projects such as Linux and the Apache web server being common in enterprise IT systems.

Donal Casey, a security consultant at IT reseller and integrator Morse, says open source software is "no less secure than a proprietary stack. It also has the potential to have fewer flaws in it".

Most commercial software companies have a finite-sized team to look at their software, but in the open source community there are many more people to look at the code. So, it could be argued that open source is more secure than proprietary because there is a wider and broader development base. The US Department of Homeland Security scheme, the Open Source Hardening Project, was established in 2006 to check the security of open source software.

The scheme has looked at 50 million lines of code so far, and found that in 250 open source projects, there is one software flaw for every thousand lines of code. But as a result, the project has enabled the open source community to fix 7,826 flaws, which has benefited all users.

So how responsive is the open source community at issuing patches when vulnerabilities are reported?

Mark Cox, who leads the Red Hat Security Response Team, says the responsiveness of any given open source project to a security issue depends on the project and the seriousness of the issue and many of the larger projects (for example, Apache, Mozilla, Linux kernel) have their own security response teams.

For some issues, the finder of the vulnerability will contact the open source projects directly, and give them time to produce fixes before disclosing the issue publicly. In other cases, the open source project needs to react to an issue that is already public.

"A good example of reaction time was with a Linux kernel flaw On Saturday 9, February an exploit was made public that allowed a local unprivileged user to gain root privileges on some Linux kernels (CVE-2008-0600). Within a few hours of it being reported to the kernel mailing list, on 10 February, patches were being exchanged and tested. Later the same day the patches were committed and a new upstream kernel version was released," says Cox.

He adds that the benefit of using a Linux distribution is that security is managed by a single vendor, which can be preferable to having to subscribe to the security lists of all the different open source components being used.

"So Red Hat monitors a number of sources for details about security issues in any of the thousands of open source projects that make up our distributions, backport patches to correct the issues and release tested updates. Should an open source project not be responsive to a security issue, the vendors work together to come up with a peer-reviewed patch," explained Cox.

In building a secure open source stack for the enterprise, Martin O'Neal, managing director of security consultancy Corsaire, says the approach is broadly the same, whether closed or open source products will be used.

"The only way to be sure that a product is secure is to research and evaluate it yourself. Luckily this doesn't require you to have either an infinite amount of time or skill though. Using a search engine to conduct a quick background check for historical security issues with the vendor and product is a good place to start. Additionally, use your social networks ask your peers if they are using the products, and if they have found them to be secure."

One view from an enterprise open source supplier, Ingres, is that some open source software products, including operating systems, application servers and databases, have high levels of security built into them.

Emma McGrattan, senior vice-president of engineering at Ingres, says: "Open source providers like Red Hat and Ingres, who are building products for enterprise deployment, are building advanced security capabilities, such as fine-grained access control, security auditing and encryption, into their base products. It is possible to construct a secure infrastructure stack built entirely of open source software that could withstand a malicious attack as well as its closed source counterparts."

"Open source detractors argue that providing access to the code will result in security vulnerabilities being more easily uncovered, but the opposite is in fact the case and providing community access to the code results in a stricter and wider review process and potential security vulnerabilities are found and fixed before the products are released," she adds.

Nevertheless, Simon Crossley, partner at international law firm Eversheds, advises organisations to carry out a thorough code review if they are using an open source stack.

He says: "Code reviews allow an assessment of the quality and nature of the security protections of the application and, increasingly, open source security solutions are being adopted because the initial investment cost is lower. Looking beyond this initial investment cost, if third-party code support is required then open source may not be appropriate as support may not always be available and not to the extent that the commercial sector provides. Ultimately, security in open source needs to be looked at in the same way as traditional closed products."

As far as what an open source stack might include, Simon Heron, internet analyst for technology supplier Network Box, says there is a lot of choice among Foss products.

"OpenBSD and Linux come with good connection tracking firewalls, which can act as the basis for the new gateway protection. Snort would provide a good intrusion detection/prevention system. OpenSwan can provide IPSec VPNs, and OpenVPN can provide SSL VPNs. Clam AVG can assist with anti-virus and anti-phishing while SpamAssassin can provide the beginnings of anti-spam solution."

"However, this would have to be supplemented with real-time black lists to provide a reasonable detection. Packet Fence will allow companies to control their network users quite closely. For bandwidth monitoring, ntop provides a good number of different views on the traffic passing through the device. Then implement Nagios to monitor the system to ensure it is running within normal operating parameters."

James Nunn-Price, a director in security and privacy services at professional services consultancy Deloitte says, "It is a common myth that to achieve a secure open source infrastructure enterprise requires a completely different approach to security than that for closed source COTS (Commercial, off-the-shelf) products. The same fundamental principles apply across the board whether they be based on security frameworks such as ISO27001 or ITIL domains.

"If you don't have a patching process, for example, you are at risk irrespective of whether or not you use open or closed source. A key factor, whatever your technology choice, is that your staff understand what it is they are managing and have the basic capability to operate it."

He adds that an area of concern with open source has been the question of support if something goes wrong. "While this might still be the case for the more obscure open source projects, the mainstream enterprise-class applications and operating systems have significant backing and support from the likes of IBM, Novell and Red Hat as well as significant track record in business and government critical systems."

Redhat's security page>>

Coverity looking to improve security in open source software>>


Read more on Antivirus, firewall and IDS products