The Paradox of OSS: More Secure by Definition; Often Less Secure in Use

The basis of OSS trust is clear. In a Tuesday interview with Jim Zemlin, executive director of the Linux Foundation, VentureBeat asked if there was any truth in the rumors that Linus Torvalds had been asked by government to backdoor Linux. Zemlin replied that there was no truth to those rumors, and added, "If there were a backdoor in Linux, you’d know it. The whole world can see every line of code in Linux. This is one of the reasons Linux is more secure than other operating systems and why open-source software overall is... safer than closed software. The transparency of the code ensures it’s secure."

Asked if this year's surveillance issues have driven or will drive more consumers toward Linux, Zemlin replied, "Around the world, I am hearing people say, “Using open source is a critical to ensure privacy. So yes, I think that will drive more users people to Linux." The nature of Linux, and by extension all OSS, is that it is self-policing. 

But the problem with OSS security is not in its code but in its use. White Source recently evaluated 2,944 software projects with open source components and found that 23% had security vulnerabilities. Since Gartner suggests that 85% of commercial software projects use open source libraries, that is a lot of vulnerabilities available to cybercriminals.

White Source does not believe the problem lies with open source software development or maintenance, but with open source management by its users. Usually, it says, most open source communities are quick to fix issues in their code, but their users are notably slow to update to new versions.

"Often," says Rami Sass, co-founder and CEO of White Source, "no one is assigned to continually monitor the open source for updates. In our study, 98.7% of the open source libraries with vulnerabilities were not updated. This presents considerable security and business risks for both vendor and customer when the product is shipped. If you don’t stay on top of open source updates," he added, "you risk missing critical security fixes that are most likely out there."

The solution to this problem, suggests, White Source, is to automate the management of OSS libraries. Pini Cohen, EVP and Senior Analyst from STKI, explains: “There is a clear disconnect between what is expected from development teams and what they can realistically do. They often lack the expertise and time to continually ensure compliance with open source licenses and monitor open source libraries for future security vulnerabilities and bugs. To properly manage open source for security and compliance, a lot of the adoption and ongoing management should be automated."

What’s Hot on Infosecurity Magazine?