Eleven Chief Information Security Officers (CISOs) from across industries share insights on the use of open source software in their enterprise environments. Most CISOs agree that open source software generally has been well vetted by a vast development community that quickly finds and fixes vulnerabilities in the software libraries. What’s more, open source provides flexibility that commercial software often can’t match without expensive customization. CISOs caution, however, that the source code for open source may be free, but there are lifecycle costs for training, support and maintenance that must be considered.
Read their insights:
Meg Anderson, VP & CISO, Principal
I think that open source code is a part of any modern technology portfolio. How you approach using open source depends on your company culture, your business and your risk tolerance. Using open source can encourage creativity, increase agility, allow you to learn from outside of your own company and attract talent engaged and networked in the community. It’s important to ensure you understand licensing models, look out for any reputational risk issues and understand the necessity for maintaining code you contribute as well as code you use. Open source code should not bypass your application security program because attackers don’t know the difference between your code and someone else’s!
Luis A. Arzu, CISO, Farm Credit Financial Partners
Cybersecurity is unique in that there is no other industry engaged in a constantly evolving battle. To complicate matters, the rate of exploits and risks far outpaces the development of commercially built security solutions to combat them. And typically, those are just point solutions. This is the reason for the more than 2,000 readily available cybersecurity products with 90% of the products having revenues of less than $10 million dollars per year. The fragmentation is not only challenging from a pure security stance but creates significant investment risk for businesses and CISOs as threats are continuously changing, often rendering a short lifespan for those commercially developed products.
Open source software is often a viable alternative or enhancement for CISOs as it is more resilient and by its very nature is constantly being improved upon and tested for defects. Open source software by and large is created by the brightest developers and programmers who look to leave their fingerprints on a great project. Because the source code is available it can be inspected for backdoors or Trojans that otherwise could be hidden when source code is obfuscated. The level of auditing and testing by not only the developers but those implementing the open source solution provides tangible and immediate feedback on its performance and viability across a multitude of heterogeneous technology environments. Crowdsourced testing, inspection, code review and implementation can operate at a massive scale when compared to the limited testing that a commercial software company, where the code is obfuscated, can provide.
Recognize however that open source software does require security teams to be diligent in maintaining it and this will likely come at a cost. As well, it is important that management follows a process to ensure appropriate licensing constructs are maintained and followed. Some of these same costs exist for commercially available tools to maintain and operate, but bear in mind that open source has these same costs.
Frank Bradshaw, CEO & CISO, Ho’ike Technologies
Organizations using an open source product need to understand the software development cycle. How often do they update, and how often are the updates scheduled for release? A lot of open source software companies will put out monthly releases, and the larger companies put out weekly releases. Many of the releases are un-advertised, and they just go into a repository. It’s up to the customers to go retrieve a new release and decide whether to use it.
Typically, if you are managing an organization that uses a lot of open source, change management becomes critical. You can set a policy that says, every two weeks we must check to see what the latest releases are. Then you must test.
Support is another issue. There are some commercial open source packages that will offer you support. Whether or not you need it depends on the knowledge and skills of your IT and development teams. If you can’t get support and your team is not skilled enough to handle it, you can go to a third party for your support needs.
Alexander J. Fry, Vice President – Software Security Assurance, Elsevier
Over the last 14 years, I have conducted security-focused code reviews and security testing on hundreds of custom software applications that utilize open source libraries and frameworks. It has been my experience that most of the vulnerabilities are identified in custom code, not in open source libraries. This experience was recently corroborated in a whitepaper titled “State of Application Security: Libraries & Software Composition Analysis” published by Contrast Security. They said they analyzed data from 1,857 running applications, which included several thousand different open source libraries, frameworks and modules. It reportedly was found that third-party libraries represent 79% of an application’s code. Java applications leverage 107 libraries while .NET applications leverage 19 libraries. What proves the argument, though, is that software libraries were found to represent just 7% of vulnerabilities and custom code accounted for 93% of overall vulnerabilities.
Mark Eggleston, VP, CISO and Privacy Officer at Health Partners Plans
Open source tools can be a beacon for limited budgets. Such tools are referenced heavily in SANS trainings and can have a very supportive peer group. Generally speaking, if you have more hands-on, technical staff, open source is a viable alternative to COTS (commercial off the shelf) tools. However, open source should be used cautiously for mission critical purposes due to challenges in finding support/SLAs. I’ve generally used open source for some vulnerability assessment and pen testing, and a lot of the co-sourced documentation has been great.
Ajit Gaddam, Chief Architect, Visa
The fact is that modern open source software provides a level of transparency, customization capability, and feature parity in many cases with proprietary software while providing a level of cost savings, making it very attractive to consider within a modern enterprise to secure their IT assets, data, and infrastructure. That said, since no software system is completely bug free, it is important to factor in security considerations such as:
Source Code Review: Perform a thorough evaluation of the source code before deployment, cataloging and risk managing new identified vulnerabilities plus those disclosed in the public domain. Have compensating controls and security architecture in place for gaps.
Follows Open APIs and Standards: It is important to ensure that your current IT investments remain relevant. Validate that the open source software uses standards and open APIs that will allow you to integrate with other open source technologies and your current proprietary security solutions.
Training & Support: Ensure your operations model looks beyond CapEx. From a labor standpoint, consider options like a vendor-backed open source technology (e.g. think RedHat) or invest time and resources in training your internal staff. Balance out your RTO [recovery time objective] numbers around availability in case the system develops bugs or goes down. Remember you are dependent on your staff or community to provide patches (e.g. think Heartbleed and OpenSSL).
Randy Marchany, CISO, Virginia Tech
Most commercial security software came from open source software so why not get it from the source? Open source software allows you to test out new features with the only cost to you being that of time. Once your team uses an open source tool, they can use that knowledge to better evaluate a commercial product. It allows you to ask a vendor “what does your product do that this open source version doesn’t?”
Pete Nicoletti, vCISO and Board Advisor
Don’t forget to factor in all the real costs of using open source. Often, decisions to use open source are initially made to save money, but the entire lifecycle of costs should be considered. Maintaining it, getting support, keeping it secure, staff training, and potential conversion to a commercial product that scales/fits better should be factored in. Federal agencies are taking a leadership position in this area (as described in the Federal CIO memorandum: “Federal Source Code Policy: Achieving Efficiency, Transparency, and Innovation through Reusable and Open Source Software”) and now require that a portion of projects use open source with the intention of leveraging all the benefits.
Joel Rosenblatt, Director, Computer & Network Security, Columbia University
Working at a university means that we have always used both open source and home-grown solutions for many systems, both enterprise and academic. While Open Source Software (OSS) and Free software are slightly different, the bottom line is that OSS includes the source code and the license includes the use by both for-profit and non-profit organizations. While there is no cost for the initial product, OSS is not zero-cost software. You will need to have people who can support the systems and who are willing and able to dig through the source code to resolve problems (read: fix bugs).
The big win, in my opinion, is that OSS is way more flexible than commercial products, and in a university environment, you will often need to customize your solutions in a way that commercial vendors don’t see the ROI [return on investment]. We use both OSS and commercial products, and I can safely say that we have very rarely used a commercial enterprise system that did not require extensive customization, often at great expense.
Bradley Schaufenbuel, VP, CISO, Paylocity
I contend that open source software is actually more secure than commercial off the shelf software. Since the source code is available to anyone on the planet, that code can be reviewed for security flaws or embedded malware by many. With commercial off the shelf software, you usually only gain access to object code, so you have to blindly trust the vendor that wrote it.
There is also a ton of fantastic open source security tools. You won’t find a single competent penetration tester that does not utilize several open source hacking tools. And programs like the ELK stack, Snort, OpenVAS, the Social Engineering Toolkit, and the Security Onion give commercial tools costing hundreds of thousands of dollars a run for the money. This provides small and midmarket enterprise security teams the capabilities they need in the absence of a large enterprise security budget.
David Sheidlower, CISO, Turner Construction
What I think of as the three most important things about open source. First off, we need to recognize that not all open source projects are created equal. Some represent active, engaged communities and others are either too small or the work of too few contributors to benefit from the open source model. The CISO wants to encourage projects that encourage security and that have the depth of expertise to deliver on that. Second, we need to always remember that there is absolutely nothing about open source output that alleviates the need to update/patch it if we rely on some part of it in our environments. Which leads to the final point: if you rely on open source, then you are a part of that project’s community. So, encourage your organization to contribute how and where it can (see point one above).
My feeling is that both OSS and commercial products will work equally well, provided that you choose them carefully and allocate sufficient resources to properly deploy and support them. Remember that it’s not what they cost to buy that’s most important, it’s what they cost to run.