Open-source coding provides many benefits for enterprises creating the software and the awaiting businesses that need to utilize it for smooth business operations. Open-source software is simply software coded using open-source coding. This means the coding is open for people to view and manipulate relatively easily. Its main ethos is that it decentralizes and democratizes – to an extent – who has access to certain codes.
It’s a highly versatile but also volatile coding that is the dominant choice for web, app, and software developers. The vulnerabilities of such a versatile and easily manipulated open-source code can cause software downtime and safety issues that plague businesses. Let’s explore.
What is open-source code?
Open source is originally a term that referred to open-source software. The makeup of that software would be open coding. This means it’s publicly accessible so anyone can see it, modify, and distribute the coding as they wish. The alternative is closed-source coding, which, like open-source software, refers to closed-source software. Behind that closed-source software was closed coding, which means it’s not freely accessible.
The most notable difference, not including the ability to modify the coding, is how open and closed source software is developed. Closed-source software typically comes to fruition by the work of one or a small team of software developers that will each have the master access to the coding of the software. They determine how and when they continue to develop the software.
Open-source software sees mass collaboration to create the software. Mass collaboration is the reason open-source is open. It needs to be easily accessible for a big team of people. One group of developers could work collaboratively in multiple different countries, which creates an issue in itself. Multiple people working on the same project in the same room make for easy collaboration. But developers working in different countries can hinder development, updates, and patches.
Recommended for you: Network Security 101: 15 Best Ways to Secure Your Office Network from Online Threats.
What issues can it create for businesses?
Closed-source software has vulnerabilities but nowhere near as many as open-source software. The main weakness of open-source software is that the coding allows nearly anyone to manipulate it. This is one of the reasons why there was a 650% rise in attacks on open-source software in 2021. Application security best practices like performing threat assessments and encrypting the code can create more secure software. But the inherent risk of open-source coding being so accessible still exists.
Another issue centers around usability. Open-source software typically suits the needs of the developers without considering the needs of the user. Companies must be involved with the design and testing of the app to ensure it meets the user’s needs. Another problem tied to usability is the lack of support available if something were to go wrong. Issues like compatibility can be a big problem with open-source software. There isn’t necessarily follow-up support from developers because multiple developers from different locations will have completed work on the software.
Businesses relying on open-source software and coding behind it might also face poor developer practices and relaxed oversights of integrations. The perfect example is the SolarWinds hack of 2021. That is thought to be the most damaging hack on a supply chain in history.
Over 250 businesses and government organizations were affected by the infiltration into the Orion system, which operated using open-source software. During two software updates, hackers released malware throughout the network, causing hundreds of businesses to crash. The entire supply chain almost stopped working. The effects of the hack are still being felt by businesses and government organizations. Many are saying it will take years to recover.
Examples of open-source software vulnerabilities
There are many examples of cyberattacks on businesses that utilize open-source software. This is linked to the fact that so many companies use open-source software, thus becoming sitting ducks. Below are two of the most notable events and what the companies learned from them.
2017 Equifax data breach
The 2017 Equifax data breach brought to light the true vulnerabilities of open-source software. The multiple security lapses that led to the cyber-attack led many web developers and companies alike to reinforce their software to prevent such an attack. Why both the company and the developer? Because both were at fault. Hackers exploited widely understood vulnerabilities and entered through a consumer complaint web portal. Those vulnerabilities should have been patched over by Equifax, but they weren’t.
Once through the web portal, hackers could move across the system and manage to steal millions of customers’ personal data. Days before that, a patch was released for a known vulnerability within the software. But Equifax chose not to implement the patch in enough time.
What did they learn from the attack? Equifax found that if a patch needs implementation, it needs implementation when released. Notably, it is large organizations that are the most vulnerable. Small to medium-sized businesses won’t find themselves the target as much as organizations with a massive customer base. That is why Equifax, a company that holds millions of customers’ financial data, should have worked to implement changes sooner.
This one hasn’t happened just yet. But hackers are quietly working in the background in an attempt to become the latest supply chain software attack. Python and PHP developers are slowly becoming compromised by a few successful hacks reported. But hackers are yet to reach their target. The packages they are attacking are the Python CTX and PHP’s phpass. Both are old software packages that have served businesses for many years.
Currently, it’s the software developers using the packages affected, but the notable increase in infiltrations has resulted in warnings fired toward companies who also utilize the software packages.
You may like: 12 Types of Endpoint Security Every Business Should Know.
The widespread rise in cyber attacks on businesses
There isn’t just an issue with open-source software attacks. There is a notable and widespread rise in cyberattacks on businesses across the board. In the UK, for example, the government recently released a report that urged businesses and charities to strengthen their cyber security practices amid a sharp rise in attacks.
Many believe this to the pandemic, which saw many companies investing in software that allowed them to continue to operate virtually. One study found there was a 300% increase in attacks during and in the months after the pandemic. But the pandemic isn’t the only one to blame – 5G, for example, is also contributing to the rise in attacks. The world was in a rush for faster bandwidth. But by increasing the bandwidth, IoT devices will be more vulnerable to attacks.
The cybersecurity skills gap within organizations also seems to be playing a part in the rise in attacks. Many employees simply don’t understand the risks and consequences of unsafe cyber practices. Additionally, many companies won’t even have a dedicated cybersecurity team. It’s up to management to educate on issues like phishing emails and encourage safe cyber practices.
What is the solution?
The solution is not to stop using open-source software. Consider the vulnerabilities and associated risks and determine which open-source software mitigates as many of them as possible. Businesses will need to go for the software most suitable for their needs. For example, open-source software could be better for brands looking for cheaper alternatives. Open-source software doesn’t typically have the same price tag as closed-source software.
Closed-source software comes with more stability and security that the software won’t come under attack from hackers. As mentioned above, open-source software has a major security flaw that caused an increase in cyberattacks by 650% in 2021. Even if businesses wanted to, they’re not the ones to run security checks and encrypt the coding. It would be the mass collaboration of developers that needs to do so.
Brands should also take the time to collaborate with developers. They should identify weaknesses in the software and implement patches as they’re released. As is with the Equifax hack, the software developers released the patch days before the attack. Because they had applied the patch, the attack wouldn’t have happened. Similarly, implementing regular updates is essential, but this also involves collaborating with developers to ensure updates are released securely. Like with the example of SolarWinds, the two updates on the Orion system exposed weaknesses that hackers immediately exploited.
Closed-source software isn’t a viable option for many brands. The better alternative might be to invest in a dedicated cyber security team or take more time to educate employees. Numerous high-profile cyberattacks started with poor password practices, for example, but are a relatively easy issue to resolve. The attack on Ticketmaster in 2021 is the perfect example of what can happen when employees don’t have secure passwords.
You may also like: 17 Cool Tips for Writing a Cybersecurity Policy that Doesn’t Suck.
Technically speaking, even closed-source software has the same vulnerabilities as open-source software; they’re just not as prominent. Businesses can mitigate the risks themselves by carefully selecting software, whether it’s open or closed, that reputable developers have created.
What’s evident, however, is what needs to be done to protect businesses worldwide, especially supply chains using open-source software. The sharp rise in cyberattacks proves how vulnerable companies and consumers are to cyberattacks. Cybercriminals now have access to sophisticated software. Developers and brands need to become more cyber security savvy to prevent attacks.