Open Source Security Software
Security solutions can be expensive, but fortunately, there is a plethora of free or low-cost open source security software solutions available. These solutions can be used to quickly identify vulnerabilities and misconfigurations before they can be exploited, but is open source security software safe to use or should it be used with caution?
The Open/Closed Source Debate
There has been considerable debate about the merits of open and closed source software, with the consensus being there are advantages and disadvantages to both, and that each has value in certain situations. Open source means the source code is public and available for anyone to review, with the main benefit of that transparency being vulnerabilities, compatibility issues, and coding problems are more likely to be found quickly because more people are looking at the code. With closed source, trust must be placed in the vendor that they have checked their code and continue to do so to identify potential flaws.
One common argument against open source is bad actors are also looking at the code and could identify vulnerabilities that they could exploit, although in reality there are quicker and easier ways for hackers to identify vulnerabilities. Based on the number of data breaches that have affected closed source products, vulnerabilities in closed source solutions are often discovered by cyber actors and exploited without access to the source code.
The open/closed source debate continues, but the reality is open source code is ubiquitous in modern software, even in closed source software solutions. It is simply not possible to develop software and applications quickly enough to gain a competitive advantage without incorporating at least some open source code. One study conducted by the Synopsys Cybersecurity Research Center suggests 95% of all commercial programs contain open-source software, with similar findings from a 1,000-application analysis by the Black Duck Center for Open Source Research & Innovation. That study found around 60% of closed source applications included open source code that has not been updated or is known to be insecure.
Open and Closed Source Security Tools
When it comes to security software the risks are potentially far higher. Security tools are used to identify vulnerabilities to allow security teams to address them before hackers find them. Those tools could potentially have malicious code inserted that relays the findings of investigations to threat actors. The software could insert backdoors, as happened with the recent supply chain attack on SolarWinds. In that incident, a backdoor was installed at approximately 18,000 organizations. Security software is also used to store sensitive data such as passwords, which if compromised could provide access to systems and huge volumes of sensitive data.
With closed source security tools, users cannot tell what the code is actually doing. If any malicious actions are being performed, they are likely to go unnoticed because the source code cannot be inspected.
Open source software is not without its issues. In 2017, the credit agency Equifax experienced a breach of the personal information of 147 million people. Equifax said the reason for the breach was the use of open source software – Apache Struts – which contained a vulnerability that hackers were able to exploit. Details of that vulnerability were not made public, but security experts have suggested this was likely a known Apache Struts vulnerability for which a patch had been made available, and that it was the responsibility of Equifax to address the issue in its applications.
Neither open source nor proprietary software is guaranteed to be invulnerable to cyberattacks, but when it comes to security solutions, the transparency and ability to inspect source code are important benefits. If you are giving a security solution access to your systems, having no idea of what the code is doing is a scary thought.
Free Open Source Security Software
Despite sterling efforts by security teams, vulnerabilities may exist within systems that could easily be exploited by remote attackers, or there could be misconfigurations that expose systems and sensitive data to the Internet. Many organizations are unaware when vulnerabilities and misconfigurations exist until it is too late because they do not take advantage of available security tools.
Proprietary software generally comes at a cost, and the cost of implementing multiple security solutions can be too high for many companies. Pay for antivirus, firewalls, spam filters, web filters, intrusion detection systems, and other key security tools, and you may not have enough left in your budget to pay for anything else. Fortunately, there is free open source security software that can be used in conjunction with proprietary security tools to significantly improve your security posture.
You should certainly take advantage of the many free, open source security software solutions available. While there are risks in doing so, they are far outweighed by the benefits. Using a free, open source tool to scan for vulnerabilities in your web applications will help you find vulnerabilities before they can be exploited. It is far better to use such a tool than to operate blind and hope no misconfigurations exist.
By adding these tools to your arsenal, you can greatly improve your security posture. Bear in mind that hackers use open source tools themselves for finding and exploiting vulnerabilities. An organization that uses open source security software for security monitoring, intrusion detection, threat intelligence, vulnerability assessments, encryption, and network scanning is likely to have a superior security posture than one that uses just a couple of proprietary solutions and attempts to get them to identify issues they were not designed to identify.
One important consideration when using open source tools is keeping on top of updates and patches. Providers of proprietary software, Microsoft being a good example, will push out updates to users. In the case of Microsoft that happens on the second Tuesday of the month (Patch Tuesday). Open source security solutions will also be updated, but the updates may not be pushed out to users. It is up to users of the solutions to ensure they are working with the latest version and patches and fixes for known issues are applied promptly.
Commercial Open Source Security Software
While the vendors of most cybersecurity solutions do not make their code available for review, there are several commercial open source security software products available. These solutions are not open source in the classic sense, as while source code is available to be checked it cannot be modified. The developers of these solutions perform updates based on any issues identified by the open source community and security researchers.
Commercial open source security software is not necessarily more secure than proprietary solutions, but the open source nature means users of these solutions benefit from the transparency provided, updates tend to be more frequent, and vulnerabilities are identified and patched more quickly.
There is no guarantee with commercial open source security software that the code has been reviewed, so it is wise to perform research and look at the published code to see how actively it is being checked. Solutions that have undergone a third-party security audit are the best choice, as the audits provide reassurances that the coding is good, and that vulnerabilities and other issues have been identified and resolved.