For years, open-source software has had a rep for being risky compared with managed alternatives. But perhaps the real problem is less about how it’s made and more about how it’s maintained.
Nearly every organization has a little bit of open-source software in its stack, but its reputation hasn’t always been the greatest in some parts of the enterprise.
Among the various knocks against open source is a belief that it’s riskier than commercial alternatives, which at least have a company that can manage things for you. Some might have a sunnier mindset, but when a story like the 2014 Heartbleed exploit hits, it only bolsters the case of skeptics.
But a recent study on risk management and open source points to a different problem: maintenance.
The “2019 Open Source Security and Risk Analysis” [registration], from the Synopsys Cybersecurity Research Center and based on anonymized data from the company’s Black Duck audit services, noted that roughly 60 percent of the code in the code bases it studied was open source. Some fields—such as software infrastructure, virtual reality, and financial services—universally had some form of open-source software in their code bases. Internet-based tools, mobile apps, marketing technology, and cybersecurity had the highest percentages of open-source code in their bases, with martech in particular built around 78 percent open-source software.
Oddly enough, jQuery represents a great example of the major failing that many organizations have with open-source software—keeping their tools up to date. According to the report, the most common vulnerability found in the code bases studied was a jQuery exploit that is vulnerable to cross-site scripting (XSS) attacks. The report added that jQuery was the tool sites have that was most likely to have a known exploit of some kind.
To be clear, the XSS exploit did not happen recently. The first version of jQuery that this report says doesn’t have the exploit came out nearly six and a half years ago—a lifetime in tech years. And this is not some obscure piece of code, either—while jQuery has started to fall out of fashion in modern development stacks, for years it was a de facto standard for web developers to load up jQuery code on a given website.
It’s no surprise, given that news, that the report found that 43 percent of code bases had vulnerabilities that were more than 10 years old. Heck, one vulnerability discovered in the audit was first pinpointed more than 29 years ago. Taylor Swift was 6 months old when this exploit was first uncovered.
Multiply the clear maintenance issues by the fact that more vulnerabilities and fixes are being uncovered daily—and potential licensing changes are increasingly a factor—and you have an obvious problem at play.
“While the efficiencies and cost savings of code reuse are clear, organizations rarely review the incoming code regularly for potential security and legal issues,” the report states in its conclusion. “Too few companies manage their developers’ use of open source, and too few can produce an accurate inventory of open-source components, licenses, versions, and patch status.”
Reframing an Old Argument
There’s a lot to unpack here.
On the one hand, the maintenance concerns play into the hands of critics of open-source software, who say it’s better to have something that’s more managed. But there’s a pretty taut counterpoint to this: Basically everyone is using open-source software these days, including those who previously have criticized it. (Microsoft just announced it would add a full-fledged Linux kernel to Windows in an effort to sway developers, a key sign that this discussion is shifting.) It’s a fundamental building block and a key tool for any form of modern development.
If you haven’t had a chance to dig into your AMS or LMS lately, odds are there’s open-source code baked in there somewhere.
But the same point can be argued the other way: The report notes that more vulnerabilities were actually found in proprietary software, which often passes through fewer developer hands than open-source code. Open-source providers, in fact, have created entire systems, such as the popular package manager npm, that aim to keep software up to date.
“The reality is that open source is not less secure than proprietary code,” the report states. “But neither is it more secure. All software, be it proprietary or open source, has weaknesses that might become vulnerabilities, which organizations must identify and patch.”
To put this another way: Maintenance is going to be a problem no matter who’s in charge of the code base, and we’re getting past the point where we can blame the way the software is made. At some point, we have to look at this as an issue of who owns the maintenance.
If that’s a vendor, great. If it’s in-house, even better! But the fact is, the world runs on open-source software, and we have to reframe our thinking on it. It’s probably a key component of the technology your association uses on a daily basis—proprietary, managed, or none of the above—and ignoring that reality could catch you by surprise when a security issue arises.
No matter who owns the code, your goal should be to ensure it’s maintained.