Combating Cyber Threats: The Power of Open Source

Introduction 

In the constantly evolving cybersecurity landscape, the discussion about the efficacy of open source software (OSS) remains active. I remember having this debate repeatedly since my early days of involvement in open source development over two decades ago. Critics often claim that the availability and transparency of open source code make it easier for hackers or bad actors to find and exploit vulnerabilities. However, this view overlooks the strengths of the open source development model: transparency, collaboration, and collective intelligence. Open source software can be a powerful tool against cyber threats when used effectively and my goal with this short post is to highlight how these three key characteristics of the open source development model contribute to combating cyberthreats.

Transparency: A Double-Edged Sword

The transparency of the open source software development model might seem like a double-edged sword. On one hand, the open nature of development and the public availability of the source code means that vulnerabilities are visible to all, including potential malicious actors. Conversely, this transparency and availability enable a diverse range of experts from different organizations, backgrounds, and areas of expertise to identify and collaboratively resolve issues more rapidly than any single individual or organization could achieve alone.

In closed source (sometimes referred to as proprietary) environments, security issues can go unnoticed and unaddressed for long periods. Take the Heartbleed bug, for example. It affected the OpenSSL library, a critical piece of open source software, that organizations worldwide depend on. While the bug was serious, the open source community's response was swift and effective, demonstrating the power of collective action. Transparency didn't create the problem, however, it enabled a quick resolution.

Collaboration: Strength in Numbers

The real strength of open source software lies in its collaborative nature. Hundreds of thousands of developers, companies, and organizations review and contribute to open source projects globally. In the Linux Foundation, we host over a thousand projects considered critical to running our modern infrastructure, with over 800 thousand developers contributing to these projects from thousands of organizations. This is a sampling of the widespread participation that creates a robust system of checks and balances that closed source models lack. The diversity of contributors ensures continuous scrutiny and improvement, each testing and deploying in support of their unique use case leading to a far greater degree of tested and stable code when compared to a single closed source codebase. 

A great example would be the Linux operating system, which powers much of the Internet's infrastructure. Its security and success are largely due to the global community of developers constantly monitoring and enhancing the code. This collaborative approach means that no single failure point can compromise the entire system. The numerous eyes on the code make unnoticed vulnerabilities less likely. 

Ecosystem Support: A United Front

The open source ecosystem is backed by thousands of organizations, from tech giants to nonprofits, educational institutions, and government R&D labs. These organizations provide financial support, development resources, and strategic guidance, and participate in the process of development, testing, and deployment. This broad support network ensures that essential open source projects receive the attention and resources they need to maintain high-security standards.

In its effort to bolster the security of critical open source projects, the Linux Foundation launched the Open Source Security Foundation (OpenSSF) to bring together industry leaders, researchers, and practitioners to improve the security of open source software. This cross-industry collaboration helps develop best practices, security tools, and protocols that enhance the overall security of the open source ecosystem. Through such united efforts, critical vulnerabilities are addressed effectively. OpenSSF provides resources, guidance and infrastructure to open source projects and developers worldwide. OpenSSF plays a pivotal role in shaping the future of software development, emphasizing the importance of open standards and the collective effort in addressing global challenges, including cybersecurity.

Furthermore, the Linux Foundation has been leading the charge for over 14 years now with its System Package Data Exchange (SPDX)¹ standard, which has been previously called Software Package Data Exchange. SPDX is an open standard for communicating software bill of materials (SBOM) information, necessary for enhancing transparency in the software supply chain. It provides a standardized format for detailing components, licenses, and provenance of software packages. This transparency is vital for organizations to manage compliance, security, and quality across their software assets. By adopting SPDX, organizations can accurately track and share information about software components, thereby reducing the risk of vulnerabilities, ensuring legal compliance, and fostering trust among stakeholders. 

Addressing the Skeptics

Skeptics argue that the visibility of open source code is a liability, providing a roadmap for attackers and bad actors. However, this view ignores the proactive measures taken by the open source community against such use cases. Vulnerabilities, once identified by community members or adoptees of the software, are fixed with unprecedented speed and transparency. This community-driven approach promotes a culture of continuous improvement and rapid response, crucial in the fast-paced cybersecurity landscape. 

At the Linux Foundation, we assume a strong position on software security and have established several practices implemented by our hosted projects to enable improved security measures such as:

1. Implementing Two-Factor Authentication (2FA): Require 2FA for all organization members to add a layer of security to GitHub accounts
2. Utilizing Access Control Features: Leverage GitHub’s built-in access control features, such as roles and teams, to restrict access to repositories and define specific actions members can perform
3. Enforcing Branch Protection Rules: Use GitHub branch protection rules and the CODEOWNERS file to ensure that every change to repositories is reviewed by the appropriate personnel
4. Pursuing the OpenSSF Best Practices Badge: Attain and maintain the OpenSSF Best Practices Badge, which recognizes open source projects that adhere to high standards of security and vulnerability management. Projects must demonstrate a robust security policy, a clear vulnerability reporting process, and effective methods for handling reported vulnerabilities. Earning this badge signals that the project prioritizes security and handles vulnerabilities responsibly
5. Establishing a Security Response Team: Projects need to identify key individuals responsible for handling security issues within the project. We typically set up a dedicated mailing list for security discussions, create a SECURITY.md file, and establish an email account to receive security vulnerability alerts.
6. Adopting the Developer Certificate of Origin (DCO): Apply the GitHub Developer Certificate of Origin (DCO) app to all repositories in any project’s GitHub organization. This provides a lightweight mechanism for contributors to certify that they have the right to submit the code they contribute
7. Conducting Regular Security Scans: Perform regular security scans on all repositories to identify and address known vulnerabilities as soon as they are discovered
8. Utilizing the OpenSSF Scorecard: Use the OpenSSF scorecard to help maintainers enhance their security practices and to assist open source consumers in evaluating the safety of software dependencies.

The notion that closed-source software is more secure due to its obscurity is increasingly being disproven. Security through obscurity is not sustainable. The frequent breaches in proprietary systems highlight the need for a more transparent and collaborative approach to security - qualities that are intrinsic to open-source software development.

Embracing Open Source for a Secure Future

The cybersecurity landscape is full of challenges, but open source software offers a way forward marked by transparency, collaboration, and collective intelligence. By adopting open source development principles, organizations can leverage the strengths of a global community to build more secure systems. It has been repeatedly proven that the open source model enables rapid identification and fixing of vulnerabilities and fosters a culture of continuous improvement and shared responsibility.

As cyber threats grow more sophisticated, the collaborative power of open source software stands as a strong defense. It's time to move beyond outdated security notions and recognize the unique potential of open source in protecting our digital future.

Call to Action

The Linux Foundation stands as a catalyst for open source collaboration and innovation, offering a unique, neutral platform for organizations and individuals dedicated to advancing security through transparency and collective effort. We invite you to join our global community, where your participation can drive the development of secure, reliable software that meets the challenges of today’s cybersecurity landscape. Together, we can harness the power of open source to build a safer digital future through openness, collaboration, and shared responsibility.

--
 ¹ With the release of SPDX 3.0, the SPDX community updated the name of the standard to System Package Data Exchange.