Cyber and Open Source: Some Helpful Thoughts
I just read a compelling article that deserves a +1.
Darren Prehaye shares some great thoughts on Open Source.
In this thoughtful article, Mr. Prehaye confronts, head-on, the complex issues surrounding Cyber Security and the open-source software movement. What was once thought to be a niche technology movement based on idealism has morphed into an industry that has been embraced by large enterprises and small startups alike. What’s at stake then? How do we ensure the security of source code and software when accountability is assumed by the population of open-source developers instead of with a team paid by an organization with a vested interest in reputation management and profits that come from technology adoption?
Prehaye points out that proponents of open-source will often argue that the very nature of their code management processes will make the software they produce/maintain more secure, facilitating:
· More frequent code updates
· Transparency, and
· Depth of expertise
He brings up the major move by Tesla (a multi-billion dollar company) to open-source their code base to allow for better collaboration and more rapid advances in technology, Microsoft and IBM that have embraced open source Linux distributions and the increase in “bug bounty” programs by these enterprises in order to ensure security by collaboration.
Mr. Prehaye also provides a solid counter to open-source proponents by noting that a highly visible platform (such as Tesla’s) cannot be compared to software that faces less scrutiny and is therefore poorly maintained.
Open-source becomes more ominous when one considers the large base of applications and systems that are created, released and then not properly (or frequently!) maintained! He wisely points out the dangers here that must be carefully considered in the face of open-source adoption.
As an IT and Cyber professional, I have seen many well-intentioned employees implement well-functioning open-source systems without a thought for the long-term implications. When a system is plugged in and starts to perform a critical function, it’s often hard to disentangle this from the business (especially when the competing, commercial options are often cost prohibitive). Therefore, it’s crucial that organizations know the exact footprint of open-source in the enterprise in order to quantify risk – if software isn’t being updated or reviewed for bugs and vulnerabilities, it has no place in the enterprise.
Unfortunately, most IT and cyber leaders are too concerned with other matters to wrap their arms around this problem, and therein lies the rub … the risk of open-source is real, and without a comprehensive plan to track and manage open-source, the risk posed often far outweighs the benefit.
Prehaye makes many good points, and brings to light those “hard parts” about open-source that many zealous proponents conveniently ignore.
The smart IT executive would do well to implement some strong controls around the use of open-source … not dismissing it whole cloth, but being aware of the real risk posed by software that can easily fall into a static mode (introducing entry points into the organization’s most valuable assets, it’s IP and those systems that drive business day-to-day).