As the report notes, “Vulnerabilities in the Core” should be considered a building block for future reports, not a definitive finding on the use of open source packages in commercial applications at this time. This initial report is “the beginning,” as the authors state, “of a larger dialogue on how to identify crucial packages and ensure they receive adequate resources and support.”
Even with that caveat, “Vulnerabilities in the Core” draws conclusions that are noteworthy for anyone using open source in proprietary software.
1. The need for a standardized naming schema for software components
“The lack of a standardized software component naming schema threatens to stymie efforts by industry and government to better protect themselves from software-based incidents,” the Linux Foundation report argues of the critical need for a standardized software component naming schema. As anyone who has attempted to find the “correct version” of a given component can attest, many projects with similar names exist, often with differing functionality.
2. The increasing importance of individual developer account security
The census report found that seven of the top ten most-used open source software packages were hosted under individual developer accounts, exposing those packages to increased risk of a takeover of a developer account and the use of malicious code into the original open source package that introduces a “backdoor” for hackers to enter once the host package is installed.
“In the contexts of both security and general risk management,” the report states, “it is critical that developer accounts be understood and protected to the greatest degree possible.”
3. The risk of legacy software in open source
Open source hasn’t escaped the problem of legacy technology, in this case components in use that may be several versions behind the most current. As the “Vulnerabilities in the Core” authors point out, it’s not unusual for there to be compatibility bugs between versions, making organizations reluctant to upgrade. There is also the pragmatic argument that the financial and time-related costs of switching to new software aren’t worth whatever benefits a newer version may offer.
But that argument ignores the reality that all technology—in particular, open source—loses support as it ages. The number of developers working to ensure updates—including feature improvements as well as security and stability updates—decreases over time. Often, the report notes, developers choose to dedicate their time and talents to newer packages. As a consequence, legacy software packages become more likely to break without the guarantee of support on-hand to provide fixes.
“Without processes and procedures in place to address the risks created by legacy [open source], organizations open themselves up to the possibility of hard-to-detect issues within their software bases,” the Linux Foundation report concludes.