By Martin Heiland, Information Security Officer at Open-Xchange
Open source software (OSS) presents both a risk and an opportunity when it comes to information security. It is very different from handling proprietary, closed-source software and services, where consumers have no choice but to unconditionally trust the vendor to do the right thing. Relying on vendor assurances alone has often proven unreliable.
With OSS, however, the vast ecosystem of contributors, methods and software components allows for rapid development and quick time to market, as well as a valuable feedback channel. OSS doesn’t actually improve security by publishing code alone, but by building a community that helps enforce transparency and continuous improvement.
It can also be hard to predict the operational risks of some OSS components. Maintenance for more niche components may come to an end, for example, or maintainers go rogue. This is why it’s essential to monitor sources closely and evaluate their maturity. You can also use automated tools to check for known security issues on external components and update them when necessary. Agile methodologies make it much easier to do this efficiently and build security awareness into the daily routine of an organisation.
Components aren’t the only OSS security consideration. Many organisations use third-party sources to set up their service infrastructure, for example, pulling Dockerfiles from a public repository. This introduces the same risk at a different level, as malicious code could get injected right to the core of the development or service operations lifecycle.
Deploying locked-down, unmonitored and outdated IoT devices across an organisation is another disaster waiting to happen. Even if the software running there is usually OSS, the user is fully dependent on the vendor to take care about patching vulnerabilities – and, we now know that security is not part of most suppliers’ business models.
Open-Xchange encourages users to provide direct feedback on security issues within OX products, including external components that are being used. We aim to maintain a very low barrier of entry to do so and compensate security researchers through our ‘bug bounty programme’, as well as professional penetration tests. And, of course, being part of the OSS community works both ways – at the same time Open-Xchange looks out for vulnerabilities in external components and reports them to the affected projects.