Information security remains high profile, daily news. One of the negative impacts of the changes coronavirus and lockdown has had on many organisations is what some experts have referred to as a “cyber pandemic.” A report by Teiss discovered that the increase in home workers allowed cyber criminals to exploit weakness created by the sudden change to home working. Attackers used tried and tested hacking techniques and ransomware, but also exploited human error in times of increased stress, gained stolen credentials for hacking due to remote access challenges and used the emotions surrounding fear and uncertainty with COVID-19 to create more effective phishing emails.
Attackers may use any information available to find even the smallest weakness in a system to attack. Any detail or clue about your configuration can be used as a means of attack. This causes some people, quite understandably, to how it is possible to maintain security when using code that is publicly available to the world.
How can security be maintained with so much sensitive data flowing through systems using software where anyone in the world could be reading the code and looking for vulnerabilities. The concern is understandable and measures must be taken to ensure security is a priority, against the many threats. However, open source has multiple benefits, when controlled, rigorously inspected, maintained and tested.
What is open source?
Open source software is freely available, publicly accessible software that can be used and modified by anyone for their own uses. This can be any kind of software. Web browsers, operating systems, text editors and content management systems are just a few.
An example of this can be seen at Github
This is the code for the apache web server. It is free to download and use as needed. Everyone can see the code and anyone can freely use it to set up their own web server.
Inspectability and Control
The fact that open source code can be viewed by anyone doesn’t have to be a negative. We have the ability to read any code before we decide to use it. Every feature can be carefully reviewed to check for any potential issues.
Because the code we use is controlled by Invotra, and not a third party, we can choose if and when any changes are made. If a maintainer of a project makes a change that may cause issues or that does something that does not fit the Invotra product, we can see this before making any choices about using the code or writing our own code. This is a level of control that we couldn’t get over closed source software.
Open source lives by the community around it. Experts who dedicate themselves to the creation and maintenance of open source projects help keep them secure and allow for more rigorous testing. In order to maintain high levels of security, strategy and quality The Linux Foundation even offers an open source ‘code of conduct’.
Anyone can contribute to an open source project. Anyone can raise an issue. In their blog, How to Contribute to Open Source Project, Maryna Z of Ruby Garage highlights the benefits of taking part in open source to developers, from beginners to enthusiasts, who want to inspire others. Open source offers the opportunity to share skills in a variety of ways, by writing, updating and translating documentation, or designing or managing projects. This means that the amount of people testing the software is more than any one organisation could have on their own. The security testing is rigorous due to the large number of individuals and organisations who work to improve the software and contribute fixes to make the software better and more secure.
Open source at Invotra
At Invotra, we use a lot of open source software in our tech stack. Apache, ubuntu, reactjs and Drupal to name a few. Almost all Invotra functionality passes through Drupal. It forms the core of our product and the base at which we build our functionality. It is the place where the content is stored within the Invotra product and the place where the users are managed.
It should be noted that simply being open source does not cause software to become secure. Risky software will not become more secure just by open sourcing the code. However, the benefits of community monitoring and inspection and the ability to fix vulnerabilities and release patches mean that a well managed open source project can offer more security in changing times.