Open Source: Security’s Open Wound

Open source software is proliferating at ever-increasing rates and does not look to be slowing down anytime soon.  This isn’t a bad thing in general as the reusable open source code provides great options for time and money saving for all kinds of companies.  Where it does come down to hurting though is in the arena of security.  These pieces of software are often being patched and having found vulnerabilities repaired however they are large targets that we are inserting into our networks for attackers.

 

Why is this?  Well, using open source code has a double-edged effect.  On one hand, you are able to check the code to make sure there is nothing that, by default, would compromise your security.  On the other hand, the people that are trying to get into your network also have the same access with the exact opposite scrutiny.  Their focus being directed to where they can hook into, either through a bug or security oversight like a SQL injection, which will tell them exactly how to break into the software.

 

So now that both sides are able to read the source, what do we do?  The first answer, as usual in these cases, is patching.  Making sure the latest and most secure version of the software is installed will help cover up what is known to be vulnerable.  This still leaves us at the mercy of the attacker since they just need to find a new hole, which they will.  Patching, like antivirus, is a great tool and should be used, but it will not be the silver bullet to save our networks.  Not even close.

 

Well, if patching is like putting a band-aid on a bleeding artery, then what will save this open wound?  Unfortunately, there really is no way of fixing these ‘zero-days’ in the traditional way.  ‘If we knew about it we would stop it, but we don’t, so what can we do?’ This is the essence of the realization but luckily that isn’t the end of the thought.  What we need to do is to look for something that will help cut these attacks down at the knees.  Instead of fighting them head on using signatures, we need to cripple their basic abilities to infiltrate and exfiltrate without impedance.  This can be accomplished through techniques like access control, where truly defined and enforced rules can debilitate the basic needs of these attackers.

 

Open source isn’t going to disappear, nor are its inherent downsides, but that isn’t to say we are devoid of options.  Access control isn’t the only technique that we can apply to solve these issues, but it is a powerful one.  We need more tools and products that apply concepts like these if we ever hope to start really stopping attacks.

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *