Using open source software can have its benefits – the quality can be better than when using proprietary programs, as more than one development team can work to iron out bugs and glitches. End users can also have more of a say in the future development of the software, including custom elements and flexibility with compatibility to different operating systems. Some of the most popular software in the world is open source, including Linux, WordPress, Firefox, Magento and Thunderbird, and typically the response is good, but there are some potential pitfalls to be aware of! Security is a big concern, and it’s important that both developers and users of open source software know how to protect themselves.
Open source coding can be accessed by anyone at any time, and there’s no guarantee that they will be someone genuinely trying to audit or use the software to benefit others. Potential attackers and hackers won’t hesitate to use any un-patched vulnerability that presents itself, and this won’t necessarily be noticed by others accessing the code for genuine reasons. In 2014 alone two major flaws were discovered, Heartbleed and Shellshock (Bashdoor); the latter of which made more than 17,000 attacks on 1,800 domains in the first 24 hour period of being reported. Companies to be affected by Heartbleed included Instagram, Pinterest and Google, and those affected by Shellshock included Cisco Systems, Apple and Google (again).
As a developer or development team using open source to build software, there are some precautions you should keep in mind as you work.
• A list should be kept of all open source frameworks, middleware, applications and libraries in use at any given time, including version histories and components. This will then make it easier to find updates, trace the code’s origin if needed and keep a check on new versions as they are released
• Delegate the responsibility of evaluating code to more than one person. A single person checking for vulnerabilities and holes is more likely to make mistakes than a team, and it’s important that being proactive is key!
• Sign up to mailing lists and websites that provide regular information on security vulnerabilities for the software you’re using (and software you may use in the future). BugTraq is popular, as is the MITRE Common Vulnerability and Exposures (CVE) database.
• Test as you go. Don’t leave it until you’ve completed a project to test for holes and security issues. Both automated testing and dynamic analysis need to be used and it’s important that any vulnerabilities discovered are fixed ASAP!
End User Precautions
As an end user of a product running open source software (such as a mobile phone using Android, a website built in WordPress or browsing the web using Google Chrome or Firefox), it’s important to be alert to all potential threats, and keep on top of them by following these guidelines:
• Use strong passwords and change them regularly – this doesn’t only protect you against vulnerabilities in open source software, it also decreases the chances of your private accounts being hacked.
• If you’re downloading apps, make sure you also have a security appon your device to stop any viruses or Trojans downloading with them. Ikarus, Kaspersky and Norton are all well-known names available to download for a number of mobile operating systems.
• Keep up with the news! Only this week, Android Bug Stagefright has been big news, affecting up to 95% of phones running Android Jellybean 2.1 upwards. This bug can infiltrate your phone whilst you sleep as it needs no input from the user to hack in, so whilst there’s not actually anything you can do about it (except hope your phone manufacturer releases Google’s patch, and soon), it’s important to be aware of the potential risk!
• Run a strong antivirus program on your laptop, Mac or desktop – you may not be aware if the website you’re browsing has been infiltrated, but making sure you have something in place to catch any bugs is definitely a good idea!
Using open source software either as a developer or a consumer isn’t a bad thing – but there are more security aspects to be aware of then when working with proprietary software, and above all, it’s important to be aware, take precautions and get on top of any issues that do arise as soon as you can!