As ransomware continues to experience exponential growth in 2017, with more attacks on more businesses demanding more money, the vulnerability (or otherwise) of open source software (OSS) is once again being called into question.
Setting the cat among the pigeons was a comment in HackerOne's Hacker-powered Security report 2017 that open source projects - alongside Internet of things (IOT) and smart home programs - featured highly in the number of bug bounty programmes launched between January 2016 and 2017 by technology companies.
Bug bounty initiatives or vulnerability rewards programmes are crowdsourcing initiatives that reward individuals (often so-called 'white hat' hackers) for discovering and reporting software bugs.
According to HackerOne, top companies are rewarding hackers up to $900 000 a year in bounties - but this is small change when one considers the massive WannaCry ransom attack in May-June that affected hundreds of organisations around the world, costing an estimated $8 billion in computer downtime alone.
Kaspersky Security Bulletin 2016 reported the number of ransomware attacks on businesses tripled last year, jumping from one every two minutes in Q1, to one every 40 seconds by Q3; and Symantec's 2017 Internet Security Threat Report noted the average ransom demand had increased to over $1 000.
Black Duck raises concerns
In its overview of application security in 2016, Black Duck Software stated the obvious: the need for secure code has never been greater and IT security should be a boardroom issue.
In particular, Black Duck expressed concern about the vulnerability of OSS. "While there are compelling reasons for using open source code, its use dramatically increases the need for strong code management," the report noted.
It added: "Everyday objects are increasingly connected to the IOT. Any vulnerabilities in the software that controls these networked devices can have consequences beyond anything we've experienced so far."
According to Black Duck, OSS is ubiquitous, with virtually every application either open source or including open source code. Commercial applications generally utilise only 65% custom code. However, 67% of companies don't monitor their open source code for security vulnerabilities, relying instead on the Linus Law of "enough eyeballs" for their open source security needs.
"But many open source projects, including those that are vital to the security of the Internet like OpenSSL, lack the needed security eyeballs. Another hindrance to community-driven, quality software is that the rewards for finding and selling exploits are much higher than those for finding and publishing them," Black Duck added.
Not an open source problem
However, veteran technology columnist Matt Asay strenuously dismisses Black Duck's concerns. Writing in TechRepublic, he maintained that any code or system connected to the Internet is vulnerable to attack. All code - regardless of whether it was proprietary or open source - is essentially not secure.
"The trick isn't to write perfect code, which is impossible, but rather to write and hack code in such a way that vulnerabilities get weeded out fast. This is one reason open source has proven to be so popular: more secure or not, it offers easier access to discover and fix bugs," he said.
"Even if you think Hadoop or MongoDB or some other data infrastructure is weak on security, it's not clear why this is suddenly an open source failing, rather than simply a matter of developers (or others) being unwilling to bother about security ... No amount of process or code matters if the people deploying the software simply elect not to secure their databases. That is not an open source problem ? it's a people problem," Asay concluded.
Share