Drexel University’s Online MS in Cybersecurity

The online MS in Cybersecurity at Drexel utilizes the College of Computing & Informatics and College of Engineering’s network of professionals to give students access to the latest research, tools and insights, and prepares students to meet the workforce needs through rigorous academic and experiential practical training. Learn more!

Open Source and Supply Chain Risk

Although certain vendors of closed-source enterprise software continue to dominate the market, the view of many recent reports is that the use of open source is growing and will continue to do so for the foreseeable future.

In one example , the view is that a global open source market of $27.7billion in 2023 will grow at around 18% a year on average, almost tripling by 2028 to $75.2billion.

This feels like a good thing, until we consider the elephant that wandered into the room a few years ago – supply chain security. Previously not really thought about all that much, a series of supply chain hacks in recent years has brought the concept to the front of all of our minds and has forced us to focus on the security of our suppliers and the upstream entities on which they depend.

What does this growth in open source mean to us? If reputable companies like SolarWinds – commercial producers of globally respected software – can fall victim to worrying hacks, surely adopting open source in our organizations is a recipe for disaster? Here we have software that could have been written by anyone, potentially published on the servers of companies we might not have heard of. How can we have any confidence at all in software whose provenance is not always certain and potentially a long way from the big, commercial companies we (mostly) trust?

What Is Open Source?

The first part of the answer is to consider what we mean by open source software. Red Hat made an interesting distinction in its 2022 report “The State of Enterprise Open Source”, where it demarcates clearly between what it calls “Enterprise open source” and “Community-based open source”. And it’s a valid point: open source doesn’t simply mean “random and a bit dodgy” – it means that the code behind the product is available for you to see. Just because something is Open Source doesn’t mean it isn’t produced by a reputable company, with robust testing, decent security, proper upstream supply chain security, and so on. A quick look at Datamation’s list of the “Top 20 Open Source Software Companies” reminds us that the open source world counts among its most prominent members the likes of Google, Amazon, IBM, Intel, Microsoft and Oracle. Open source most certainly isn’t automatically substandard, then, particularly in the commercial products it underpins.

So, what about so-called “Community-based open source”? Surely something with less control over its content, and no corporate oversight, controls and the like is more susceptible to a bad actor injecting something nefarious which we all then unwittingly download and use? Well … no. Or, at least, not necessarily. Take as an example what’s easily the biggest ongoing open source project in existence – the continuous development of the Linux kernel . Around 15,000 people have contributed to the kernel over the years, with development overseen and coordinated by Linux creator Linus Torvalds . One would think that such an approach is fraught with risk – one bad-actor developer and the kernel’s security is compromised.

But no – the opposite is in fact true, because of the very nature of community-based open source development. A massive band of developers equates to a massive number of people who scrutinize new code snippets. When a developer “commits” (uploads) a new piece of code, Torvalds doesn’t simply hit “Build” and it’s in the kernel. Instead, the developer community will look at the new change, consider whether it’s the most efficient it could be, look for bugs, and so on. The finest brains in the land look at the code, and the chances of a piece of malicious code finding its way into the software are in fact very low indeed.

Of course, this doesn’t mean that all open source code, particularly community-built stuff, can be relied on – it would be unreasonable to think that the total number of compromised open source applications is zero. After all, one of the most common reasons many open source zealots use when trying to get us to use such software is: “But the code’s right there for you to look at, so you can see under the hood at how it works” … which is true, but who has the skills to do so, and does anyone ever bother? Just because people can do something, this doesn’t mean they do it.

It's a Matter of Risk

Due to this, we wind back to the core principle of cybersecurity: a risk-based approach. Should one have a high degree of confidence buying, downloading and installing one of the commercial Linux operating systems? Yes, of course – not least because part of what you’re buying for a few hundred dollars is the assurance of proper testing, security scrutiny and the like. But what about free stuff like, say, the Apache web server or Tomcat? Again, the Apache Software Foundation is reputable, its software reliably used globally. At the other end of the scale, though, would we trust a piece of software that someone we’ve never heard of has put in the public domain via a web site we’ve not really heard of either? Of course we wouldn’t! Our instinct does the risk assessment for us and tells us at the very least to look under the hood or ask around to understand the risks.

In reality, then, the primary cyber risk in an open source world isn’t the fear of an attacker injecting malicious code into something we buy, download and use. No: the biggest threat is the simple old problem that even the best code has bugs (if it didn’t, things like Patch Tuesday wouldn’t exist).

So, the greatest risk is, and always will be, unwitting vulnerabilities that were introduced by developers and not picked up before the release happened.

  • ISC2 has an online training module focused on Supply Chain Security. Find out more here.
  • ISC2 also has an online training module on Supply Chain Risk Management (SCRM) through Governance, Risk, and Compliance (GRC). Find out more here.