When Open Source Software becomes a Risk

Advantages and disadvantages of open source software in terms of security When open source software becomes a risk

Open source software convinces different user groups across industries who want to digitally map processes or infrastructures in an economically sensible, agile, innovative and secure way.In many cases, security concerns are unfounded or can be remedied with a suitable commercial variant.

Companies on the topic

If a company does not have enough staff and expertise to use open source software, an OSS community solution loses its security advantage over proprietary software.

Open source software (OSS) is independent of individual providers and offers a large selection of components, open standards and thus compatibility with important tools. It has lower operating costs compared to proprietary providers. In addition, such applications provide companies with faster and better access to innovation. These and other arguments convince two thirds of the companies in Germany, because they already use OSS, according to a Bitkom study.

The survey provides further interesting details: Nine percent of study participants see a safety advantage in the updates that are available at OSS in short cycles. Seven percent of respondents, however, have security concerns and four percent identify security gaps as a disadvantage. This supposed contradiction can be solved, but the short answer is: Often there is a lack of knowledge and specialists to exploit the full potential of freely available software. Nevertheless, even with lower capacities, companies can profitably use open source. This becomes understandable when you first consider what constitutes OSS.

Open to the sharing economy?

At OSS, the source code is open and freely available. A company thus receives a template to develop its own applications according to your ideas inexpensively and quickly. It benefits from the knowledge of the community, as there are usually thousands of developers behind a software project and constantly improve it. All you need to do is publish the source code on a platform like GitHub. The source code is still freely available even if the license terms for one of the following versions should change.

The open source concept is based on the principle of the sharing economy – that is, take and give. This can be a financial contribution as well as a contribution in the form of a technical improvement – for example, by a company engaging in the community, participating in the further development of the software or setting codes itself again. On the other hand, anyone who uses open source source code for their own commercial purposes without providing anything in return violates the principles of the sharing economy.

System-immanent self-control

Open sources make software vulnerable to manipulation, could argue who has security concerns. However, this assessment is incorrect. The transparency of OSS massively minimizes the risk of someone inserting malicious code into the software. Because the swarm intelligence of a community is usually ahead of manufacturer teams with a limited number of people and discovers vulnerabilities faster and more reliably. In addition, the developer community can provide updates and patches at short intervals, so that vulnerabilities can be closed quickly. In addition, open source code is produced in the knowledge of its public, which increases the motivation of those involved to act here with a special focus on quality.

Proprietary software, on the other hand, has this decisive disadvantage in addition to its dependence on a manufacturer: Its source code cannot be viewed continuously. A user does not know what is running in the background during operation, even if it concerns safety-relevant aspects. Permanent access is so important because it allows expertise to develop outside of a single manufacturing company. This is urgently needed if a solution is to be tested.

If OSS reaches a high degree of maturity, the swarm intelligence that secures the product occasionally decreases. This can also be the case with frequently used components and of course also occurs comparably with proprietary solutions. Here it helps if commercial OSS manufacturers also keep an eye on these components.

Another security risk can also develop on the user side: Like any other critical means of production, open source components must also be managed. Those responsible in the company must keep an eye on technical developments and community activities. This, in turn, requires that enough specialists with special expertise work in the company – but these are in short supply across the industry. In addition, these specialists must also be given the time to deal with the topic in depth. It is difficult to get behind here, to install updates and patches and to ensure compatibilities. Almost every IT department needs good manufacturer support.

Closing the demand gap safely

Commercial open source offerings fill this demand gap. They aggregate OS components into products and offer their own open source solutions as enterprise versions, which include warranty and professional support with updates and patches and whose services can be regulated via SLAs and subscriptions. Such products are easily installed and run stably. In this constellation, using companies gain the security of an OSS without having to make the necessary effort themselves.

Implementing the security advantage of OSS

The use of Software is always associated with risk. In the case of OSS, however, this increases unnecessarily if a user company does not have enough staff and expertise internally. At this moment, an OSS community solution loses security advantages over proprietary software. Because if the in-house experts have no time, or lack the solution-specific expertise, swarm intelligence, self-control and agility are of no use. In order to achieve a reasonable level of security, companies should therefore rely on commercial open source variants where their own experts are not available. Here the honest self-assessment of what can be done alone and what should be procured more safely and reliably from open source manufacturers helps.

About the Author: Elmar Geese is Chief Operating Officer (COO) in the management team of Greenbone Networks, specialist for vulnerability analysis of IT networks. His focus is on strategy, process optimization and controlling, so that the added value of Greenbone products reaches the customer even better. He draws on three decades of IT experience as a founder, manager and consultant.

(ID:47413287)