Open source platform security considerations

By Eric Vanderburg, Information security executive

These days, more and more organizations are opting to use open-source platforms and software for their business needs. Open-source software is software that allows third parties to view, modify, and even relicense the software. There are a number of benefits to using this type of software, but it is important to recognize the potential network security risks, as well.

Open-source advantages

Perhaps the most impactful benefit of an open-source platform is the price, as the initial costs are usually non-existent. There may be implementation fees, but typically, open-source platforms are free.

Open-source platforms are usually customizable as well. Because you have access to the source code, you have a product that is easy to adapt to your needs. For example, if an open-source product meets 90 percent of your requirements, your team can easily code in the other 10 percent. If, however, you had a closed-source platform that met 90 percent of your requirements, the vendor would have to code in the other 10 percent, typically for a large fee.

Regardless of the benefits, sometimes a company’s use of an open platform is purely circumstantial. If your company is using other open-source operating systems, some closed-source options may not be compatible. Compatibility is an issue with servers as well.

Security risks

Some of the things that make open-source platforms a great option also expose the platform to weaknesses, namely the open-source code and lack of support that comes with it.

Without a vendor-provided support team, much of the stability of an open-source platform relies on a key developer or two. If that developer leaves the project for some reason, suddenly the project is postponed. With no support hotline to call, the progress of the project is at the mercy of other developers or the platform’s community.

Because open-source platforms don’t have the advantage of a support system like closed-source, there is often a community of developers who work together to learn more about the software, make changes and patches, and help others with their issues.

When vulnerabilities occur in a closed-source code, the vendor will modify the software and release an update to users. In open-source, however, users have to patch the vulnerability themselves. These patches get more difficult as other modules and tools are added to the platform. While the main platform may release a patch, it may not be compatible with third-party tools, leaving the platform open to those weaknesses while updating all of the additional tools.

While the camaraderie found in open-source communities is often beneficial, these communities also expose open-source platforms to vulnerabilities. Users don’t know exactly where the code is coming from, and it could be an expertly executed code, or it could be from someone who is just trying coding out and has created something with weaknesses. A good way to check on the status of a code is to run an audit.

Another issue with an unknown origin of the code is licensing. Code is often reused between projects, making it all too easy to unknowingly violate licensing codes. 

Other concerns to keep in mind:

  • Many open-source applications are distributed through bit torrents or sites that have mirrors. This can lead to potentially downloading an application that has something malicious attached to it.
  • Occasionally, the code is shipped out as is and users have to download it and compile it on their own machine. If their computer has a flawed compiler, it can turn good code into flawed code. 

Security risk prevention and solutions

So, what is the best way to prepare for and avoid these security concerns? Start by asking the following questions:

  •        How does the open-source platform vet programmers?
  •        Is there a set of security standards in place to which developers must adhere?
  •        Is there a dedicated support channel?
  •        Does the platform certify compatible applications?

Once those questions have been satisfactorily answered, take a look at the platform’s overall layers of defense. There are different products that can be implemented to monitor transactions or back-end databases and send out alerts or block actions that are outside of security parameters.

Another good option is to research open-source audit reports. With these reports, you can hear from someone who has already implemented the system and learn from their experience. Of course, if you choose to implement the platform, you should consider running evaluations on your own system, such as penetration tests or a gap analysis, to ensure that the software is not deployed to an already vulnerable system.

In the enterprise, open source software can be a great benefit for those who take the time to weigh the risks and select the right platform.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

About the Author: Power More