Open source software (OSS) provides developers with many benefits, allowing them to streamline common features and tasks within the software, leaving more time for the development of project-specific elements which are unique to the software they are building.
Unfortunately, the popularity of OSS means that it is a target for cyber criminals. Lacking the rigorous security checks of COTS, OSS often contains security vulnerabilities which go undetected, which in turn can be an indicator of future weaknesses. These vulnerabilities can threaten the security of anything from an app or website to an entire network.
Why is the government particularly at risk?
According to the recently released State of Software Security (SOSS) annual report, apps used by US government agencies have a much higher rate of security flaws when compared with apps used in other sectors. When data was analysed using 20 million scans across half a million apps, security vulnerabilities were found in a staggering 82% of public sector apps in the USA.
Across all sectors, 30% of vulnerable libraries remain without a fix after two years. If we take the public sector alone, that nearly doubles, to 55%, with an overall fix rate of only 22%. While the government has said that it is committed to improving customer service for those who use its apps, the current situation means that users are being left at risk.
Improving open-source security
Flexible and cost-effective, OSS is here to stay. It now forms the foundation of most software, used across the majority of sectors. Therefore, its security is a vital issue which concerns everyone. The challenge it presents to the public sector is particularly prominent.
Last year’s hacking event stemming from a vulnerability in Apache’s Log4j, a popular open-source library and logging utility, enabled cyber criminals to take control of devices on the internet. Indeed, there is often very little correlation between the popularity of a particular open source resource, and its levels of security. It is well-known that many of the developers working on open source code are volunteers. Often with little security funding available, it is unsurprising that people with nefarious aims see OSS as an easy target.
The issue is now beginning to gain more public exposure, gaining recognition as a genuine area of public concern. In January, the Biden administration met with major IT companies to discuss OS security, including the prevention of security flaws, finding them when they occur, and accelerating the repair of faulty code.
Prevention is better than cure
Although OSS developers usually patch vulnerabilities quite quickly, problems arise when they don’t. So wouldn’t life be simpler if weaknesses were identified at the start of the software development life cycle (SDLC)?
By focusing on security from the start and constantly monitoring for flaws throughout the life of the software, many issues can be avoided before they arise.
The public sector is particularly notorious for being very slow in patching its vulnerabilities. By following the best practice of “fix early, fix often”, the public sector will dramatically reduce its potential exposure to security issues. If security protocols are followed from the outset, this allows developers, and in turn organisations, to benefit from open-source resources without being consumed by security concerns.
Click here to learn more about Open Source software.
Get a Complimentary Assessment
Our Agnostic Open-Source assessment will provide an objective view of your software landscape without bias. You’ll receive a comprehensive report of your current position along with recommendations delivered in a format that allows you to retain this information and act upon it quickly and easily.