One of the largest data breaches lately, of the credit bureau Equifax, was by some sources blamed on the open source web framework Struts. Whatever security issue the attackers used to breach Equifax, putting focus on the topic of open source vs proprietary software is a flawed though. Security always hard and many security issues exist in both proprietary and open source software, and there are plenty of examples of both proprietary and open software that have had severe security issues. There are some examples where having open source is likely to have exposed, and fixed, problems earlier, but there are also examples where flaws have hidden in open software for a long time undetected.
One thing that must be emphasized is that flaws are usually discovered sooner or later, regardless of the type of software. The one thing that sticks out is that security protocols and standard are always developed openly and transparently (except in some military applications), and security protocols designed in closed fashion are usually easily broken.
Open code reveals security issues?
Two example where open source might have caught problems earlier are the recent vulnerability in a proprietary library used to generate key in common smart cards, and the now infamous Volkswagen diesel fraud. A vulnerability in a proprietary software library has recently rendered millions of issued electronic ID cards vulnerable. The software flaw was hiding in a proprietary library since 2012 and was discovered by security researchers doing black box analysis on keys generated by the smart cards. Had the library been a commonly used open source library, it is likely that the code had undergone more rigorous analysis, although the library as is had already undergone the highest level of security certification, Common Criteria EAL5.
Open source also has share of long-time bugs though, as the heart-bleed vulnerability of the highly popular openssl library showed. This software flaw had also been hiding, in plain sight, for several years, until discovered forcing many web sites across the Internet to re-generate cryptographic keys that might have been exposed.
Data breaches due to outdated software
Both these examples are highly specialized security software bugs, while most internet breaches, like the Equifax and the now infamous DigiNotar breach is due to bad operating procedures where old version of software, containing known security flaws, are used instead of upgrading to newer versions. In many cases a collection of proprietary and open source components has assembled, and then never upgraded.
The most notorious hack of a public certificate authority, leading to the shutdown of the entire DigiNotar business, was due to outdated proprietary software systems, both the operating system and the application software. Because the software was not upgraded, it was possible for attackers to exploit weaknesses in these proprietary systems with disastrous consequences.
The latest Equifax breach is claimed to have used weaknesses in an open source framework that Equifax used to develop their own system with. However, in this case the open source software was not updated, although there were fixed versions available.
These examples show that when it comes to security, there are no silver bullets. Research shows that there are weaknesses found in proprietary as well as open source components, and they are both exploited by attackers to breach systems. Security is a very complex area of IT, with limited expertise world-wide, and neither expensive security audits and certifications, nor full openness and peer review is a guarantee for security.
This of course also means that since there are no security benefits of not being open, there is no reason to not be open.
What can one do? The best way is to be prepared for security issues, and staff projects properly so that systems can be upgraded when security issues are discovered. Keeping system upgraded is the best insurance you can get to stay as protected as possible. Security issues are usually announced, so if you have staff assigned to security, they have the possibility to be notified and find out about most security issues affecting open source components in due time.
Disclaimer: This article has been published in SecureMAG Volume 10, 2018