For quite a while, open source security solutions enjoyed a virtually unbroken string of successes, with little in the way of negative news surrounding these offerings. Then came Heartbleed. Undoubtedly the most significant setback to open source security ever discovered, the Heartbleed vulnerability exposed a tremendous percentage of the total Internet to possible cyberthreats.
In light of this revelation, many industry experts have offered their thoughts on the future of open source. Speaking at Computing's recent Enterprise Security and Risk Management Summit in London, a number of panelists asserted that Heartbleed should indeed cause businesses to scrutinize their open source security efforts, but that it is too late to abandon such solutions altogether.
Open source on the loose
The discussion began when Computing Magazine editor Stuart Sumner asked the panelists whether Heartbleed should cause business decision-makers to be more doubtful toward open source software. In response, Marc Lueck, director of global threat management at publishing house Pearson, argued that there is really no longer any choice in the matter.
"We don't have the opportunity to change our minds now, we're using open source, that decision is made," he said, the news source reported. "We now need to figure out how to fix it, how to solve it, how to protect ourselves from decisions that have already been made."
Lueck is far from the only expert to share this view. Writing for ZDNet, Steven J. Vaughan-Nichols recently argued that the "future belongs to open source," even despite the Heartbleed revelation.
"Outside of Apple and Microsoft, everyone, and I mean pretty much everyone, has already decided that open source is how they'll develop and secure their software. Google, Facebook, Yahoo, Wikipedia, Twitter, Amazon, you know all of Alexa's top ten websites in the world, rely on open-source software every day of the year," Vaughan-Nichols wrote.
The significance of Heartbleed, therefore, is not that companies need to reconsider their commitment to open source, but rather that firms should make more of an effort to ensure that these solutions are fully protected and applicable to a given situation, as Ashley Jelleyman, head of information assurance at BT and a participant in the Computing panel, explained.
"I think the real issue is not whether it's open source or closed source, it's actually about what you do with it and how you actually evaluate it to make sure it's fit for purpose," said Jelleyman, Computing Magazine reported. "It's have we checked this through, are we watching what it's doing?"
This thought goes back to one of the most popular notions concerning open source security: The idea that with enough eyes, all bugs are shallow. With proprietary solutions, a few oversights could potentially lead to a serious software security flaw, but open source enables and, theoretically, requires more people to examine any given piece of code. This dramatically reduces the likelihood that a major vulnerability will persist for long.
Yet such an oversight is precisely what happened to OpenSSL, leading to the Heartbleed flaw. Essentially, every organization that leveraged Heartbleed assumed that the software had been thoroughly vetted. It was so popular, it seemed inevitable that someone at some point would have noticed if there was any real vulnerability.
To protect themselves from future open source security risks, organizations need to take a closer look at their open source practices, rather than relying heavily on assumptions. By adopting a more critical posture to understand where open source is being used and the associated risks, firms can embrace open source and all of the advantages it entails without compromising their cybersecurity capabilities.