close search bar

Sorry, not available in this language yet

close language selection

|

The state of open source security

Get a deep dive into open source trends

The state of open source security

Get a deep dive into open source trends

Definition

Open source software (OSS) is software that is distributed with its source code, making it available for use, modification, and distribution with its original rights. Source code is the part of software that most computer users don’t ever see; it’s the code computer programmers manipulate to control how a program or application behaves. Programmers who have access to source code can change a program by adding to it, changing it, or fixing parts of it that aren’t working properly. OSS typically includes a license that allows programmers to modify the software to best fit their needs and control how the software can be distributed.

What is the history of OSS?

The idea of making source code freely available originated in 1983 from an ideological movement informally founded by Richard Stallman, a programmer at MIT. Stallman believed that software should be accessible to programmers so they could modify it as they wished, with the goal of understanding it, learning about it, and improving it.i Stallman began releasing free code under his own license, called the GNU Public License. This new approach and ideology surrounding software creation took hold and eventually led to the formation of the Open Source Initiative in 1998.i


What is the Open Source Initiative?

The Open Source Initiative (OSI) was created to promote and protect open source software and communities.ii In short, the OSI acts as a central informational and governing repository of open source software. It provides rules and guidelines for how to use and interact with OSS, as well as providing code licensing information, support, definitions, and general community collaboration to help make the use and treatment of open source understandable and ethical.ii


How does OSS work?

Open source code is usually stored in a public repository and shared publicly. Anyone can access the repository to use the code independently or contribute improvements to the design and functionality of the overall project.

OSS usually comes with a distribution license. This license includes terms that define how developers can use, study, modify, and most importantly, distribute the software.iii According to the Synopsys Black Duck® KnowledgeBase, five of the most popular licenses are:

  • MIT License
  • GNU General Public License (GPL) 2.0—this is more restrictive and requires that copies of modified code are made available for public use
  • Apache License 2.0
  • GNU General Public License (GPL) 3.0
  • BSD License 2.0 (3-clause, New or Revised)—this is less restrictiveiv
When source code is changed, OSS must include what was altered as well as the methods involved. Depending on the license terms, the software resulting from these modifications may or may not be required to be made available for free.iii

What are some examples of OSS?

  • GNU/Linux
  • Mozilla Firefox
  • VLC media player
  • SugarCRM
  • GIMP
  • VNC
  • Apache web server
  • LibreOffice
  • jQuery

Is OSS bug-free?

The short answer is no. With multiple parties making modifications and improvements, it’s inevitable that open source software will contain quality, performance, and security flaws. However, the broad base of code contributors can also mean that bugs are identified and fixed faster.

No matter the type of software—open source or commercial—code flaws will exist. The main difference is who is responsible for fixing the bugs; for commercial software, vendors are responsible, whereas the consumer is responsible for open source software. With a robust set of AppSec tools and practices in place, OSS can be easily secured.


What are the differences between open source and closed source software?

Factors

Open source

Closed source

Price

Available for nominal or zero licensing and usage charges.

Cost varies based upon the scale of the software.

Freedom to customize

Completely customizable but it depends on the open source license. Requires in-house expertise.

Change requests must be made to the company selling the software. This includes bug fixes, features, and enhancements.

User-friendliness

Typically less user-friendly, but it can depend on the goals of the project and those maintaining it.

Typically more user-friendly. As a for-profit product, adoptability and user experience are often key considerations.

After-sales support

Some very popular pieces of open source software (e.g., OSS distributed by Red Hat or SUSE) have plenty of support. Otherwise, users can find help through user forums and mailing lists.

Dedicated support teams are in place. The level of service available depends on the service-level agreement (SLA).

Security

Source code is open for review by anyone and everyone. There is a widespread theory that more eyes on the code makes it harder for bugs to survive. However, security bugs and flaws may still exist and pose significant risk.

The company distributing the software (i.e., software owner) guarantees a certain level of support, depending on the terms of the SLA. Because the source code is closed for review, there can be security issues. If issues are found, the software distributor is responsible for fixing them.

Vendor lock-in

No vendor lock-in due to the associated cost. Integration into systems may create technical dependency.

In most cases, large investments are made in proprietary software. Switching to a different vendor or to an open source solution can be costly.

Stability

This will depend on the current user base, the parties maintaining the software, and the number of years in the market.

Older, market-based solutions are more stable. New products have similar challenges as open source products. If a distributor discontinues an application, the customer may be out of luck.

Popularity

Some open source solutions are very popular and are even market leaders (e.g., Linux, Apache).

In some industries, proprietary software is more popular, especially if it has been in the market for many years.

Total cost of ownership (TCO)

TCO is lower and upfront due to minimal or no usage cost, and depends on the level of maintenance required.

TCO is much higher and depends on the size of the user base.

Community participation

The community participating in development, review, critique, and enhancement of the software is the essence of open source.

Closed community.

Interoperability with other open source software

This will depend on the level of maintenance and goals of the group, but it is typically better than closed source software.

This will depend on the development standards.

Tax calculation

Difficult due to undefined monetary value.

Definite.

Enhancements or new features

Can be developed by the user if needed.

Request must be made to the software owner.

Suitability for production environment

OSS might not be technically well-designed or tested in a large-scale production environment.

Most proprietary software goes through multiple rounds of testing. However, things can still go wrong when deployed in a production environment.

­Financial institution considerations

The financial industry tends to avoid open source solutions. If used, a vetting process must take place.

Financial institutions prefer proprietary software.

Warranty

No warranty available.

Best for companies with security policies requiring a warranty and liability indemnity.

What are the pros and cons of open source software?

Pros of open source software

  • Open source software is free.
  • Open source is flexible; developers can examine how the code works and freely make changes to dysfunctional or problematic aspects of the application to better fit their unique needs.
  • Open source is stable; the source code is publicly distributed, so users can depend on it for their long-term projects since they know that the code’s creators cannot simply discontinue the project or let it fall into disrepair.
  • Open source fosters ingenuity; programmers can use pre-existing code to improve the software and even come up with their own innovations.
  • Open source comes with a built-in community that continuously modifies and improves the source code.
  • Open source provides great learning opportunities for new programmers.v
Cons of open source software
  • Open source can be harder to use and adopt due to difficulty setting it up and the lack of friendly user interfaces.
  • Open source can pose compatibility issues. When attempting to program proprietary hardware with OSS, there is often a need for specialized drivers that are typically only available from the hardware manufacturer.  
  • Open source software can pose liability issues. Unlike commercial software, which is fully controlled by the vendor, open source rarely contains any warranty, liability, or infringement indemnity protection. This leaves the consumer of the OSS responsible for maintaining compliance with legal obligations.
  • Open source can incur unexpected costs in training users, importing data, and setting up required hardware.vi

How can you ensure open source software security?

While open source software offers a multitude of benefits, it introduces a whole new level of software risk management. It is critical that an organization utilizing OSS, or acquiring codebases that contain OSS in a merger or acquisition, truly understand what is in their code so they can effectively manage and secure it. The Synopsys solution suite offers complete open source coverage, so you can use OSS confidently. 

If you want to learn more about open source risk and how to mitigate it, here are some steps you can take:

  1. Read the annual "Open Source Security and Risk Analysis" (OSSRA) report to understand the current state of open source vulnerabilities and risks.
  2. Research open source risk management organizations and consulting firms that can provide guidance and tools for identifying and addressing open source risks in your own organization.
  3. Look for articles, blogs, and webinars online that offer tips and best practices for managing open source risk.
  4. Get in touch with experts in the field of open source risk management, to get personalized advice and guidance tailored to your organization's specific needs.
  5. Consider implementing automated solutions for open source management and security, to help you detect and resolve vulnerabilities, and to stay compliant with open source licenses.

By taking these steps, you can learn more about open source risk and take the necessary steps to mitigate it, ensuring the security and compliance of your organization's software.


What are the Synopsys offerings for OSS security?

Software composition analysis (SCA) tools help teams manage the security, quality, and license compliance risks that come with the use of open source and third-party code in applications and containers. SCA helps you understand what’s in your code, and provides a comprehensive software bill of materials (BOM).

Black Duck Audit Services provide fast analysis of open source, legal, security, and quality risks for merger and acquisition due diligence or internal reporting. Black Duck offers several audits:

  • Open source and third-party code audit. This provides a complete open source bill of materials for the target codebase, and shows all open source components and associated license obligations and conflict analysis.
  • Open source risk assessment. This uses Black Duck Security Advisories to deliver a detailed view of open source risks in the codebase, including known security vulnerabilities. The assessment result can serve as a high-level action plan to prioritize research and potential remediation actions.
  • Web services and API risk audit. This lists the external web services used by an application, offering insight into potential legal and data privacy risks. Armed with this data, you can quickly evaluate web services risks across three key categories: governance, data privacy, and quality.

 

i https://www.wired.com/story/wired-guide-open-source-software/

ii https://opensource.org/history

iii https://opensource.com/resources/what-open-source

iv https://www.thebalancecareers.com/what-is-open-source-software-2071941

v https://www.howtogeek.com/129967/htg-explains-what-is-open-source-software-and-why-you-should-care/

vi https://www.nibusinessinfo.co.uk/content/disadvantages-open-source-software


Related content

Video

See how Black Duck works

Watch the video