These days, more and more organizations are opting to use open-source platforms and software for their business needs. Open-source software is software that allows third parties to view, modify, and even relicense the software code. There are a number of benefits to using this type of software, but it is important to recognize the potential security risks as well.
Perhaps the greatest benefit of an open-source platform is the price, as the initial licensing costs are usually non-existent. There may be implementation fees, but open-source platforms are typically free.
Open-source platforms are usually customizable as well. Because you have access to the source code, you have a product that is easy to adapt to your needs. For example, if an open-source product meets 90% of your requirements, your team can custom code the other 10%. If, however, you had a closed-source platform that met 90% of your requirements, the vendor would have to code in the other 10%, typically for a large fee.
Regardless of the benefits, sometimes a company’s use of an open platform is purely circumstantial. If your company is using other open-source operating systems, some closed-source options may not be compatible. Compatibility is an issue with servers as well.
Some of the things that make open-source platforms a great option also expose the platform to weaknesses, namely the open-source code and lack of support that comes with it.
Without a vendor-provided support team, much of the stability of an open-source platform relies on a key developer or two. If that developer leaves the project for some reason, suddenly the project is postponed. With no support hotline to call, the progress of the project is at the mercy of other developers or the platform’s community.
Because open-source platforms don’t have the advantage of a support system like closed-source, there is often a community of developers who work together to learn more about the software, make changes and patches, and help others with their issues.
When vulnerabilities occur in a closed-source code, the vendor will modify the software and release an update to users. In open-source, however, users have to patch the vulnerability themselves. These patches get more difficult as other modules and tools are added to the platform. While the main platform may release a patch, it may not be compatible with third-party tools, leaving the platform open to those weaknesses while updating all of the additional tools.
While the camaraderie found in open-source communities is often beneficial, these communities also expose open-source platforms to vulnerabilities. Users don’t know exactly where the code is coming from. It could be expertly programmed code, or it could be written by someone who is new to coding and has inadvertently created a program with vulnerabilities. A good way to check on the status of a code is to run an audit.
Another issue with an unknown origin of the code is licensing. Code is often reused between projects, making it all too easy to unknowingly violate licensing agreements and copyrights.
Other concerns to keep in mind:
- Many open-source applications are distributed through bit torrents or sites that have mirrors. This can lead to potentially downloading an application that has something malicious attached to it.
- Occasionally, the code is shipped out “as is” and users have to download it and compile it on their own machine. If their computer has a flawed compiler, it can turn good code into flawed code.
Security Risk Prevention and Solutions
So, what is the best way to prepare for and avoid these security concerns? Start by asking the following questions:
- How does the open-source platform vet programmers?
- Is there a set of security standards in place to which developers must adhere?
- Is there a dedicated support channel?
- Does the platform certify compatible applications?
Once those questions have been satisfactorily answered, take a look at the platform’s overall layers of defense. There are different products that can be implemented to monitor transactions or back-end databases and send out alerts or block actions that are outside of security parameters.
Another good option is to research open-source audit reports. With these reports, you can hear from someone who has already implemented the system and learn from their experience. Of course, if you choose to implement the platform, you should always run evaluations on your own system, including penetration tests and a security gap analysis.
Have a question about open-source platform security? Need help implementing some security best practices? Contact the talented eDiscovery and eSecurity team at JURINNOV.