Regulation and Compliance

The Hidden Vulnerabilities of Open Source Software

The increasing use of open source software in most commercial apps has revolutionized software development—but also created hidden vulnerabilities, say Frank Nagle and Jenny Hoffman.

Commonly used free and open source software (FOSS) is one of the most significant technological trends of the decade. After all, 80-90 percent of a typical application contains FOSS components. And that trend is only increasing with its use in smart phones, cars, the Internet of Things, and numerous pieces of critical infrastructure.

But without appropriate investment and maintenance, that widespread adoption has the potential to become a liability. A preliminary study released February 18, which we directed alongside the Linux Foundation, numerous troubling trends in open source security underscore the importance of understanding where open source is most used and could be vulnerable to attack.

The report, ‘Vulnerabilities in the Core,’ a Preliminary Report and Census II of Open Source Software, was prepared by the Laboratory for Innovation Science at Harvard (LISH), in partnership with the Linux Foundation’s Core Infrastructure Initiative (CII).

The Census II analysis and report represent important steps toward understanding and addressing structural and security complexities in the modern day supply chain where open source is pervasive, but not always understood. After all, it is difficult to fully understand the health and security of FOSS because 1) by design, it is distributed in nature so there is no central authority to ensure quality and maintenance, and 2) FOSS can be freely copied and modified, so it is unclear what types of open source software are most widely in use.

Census II identifies the most commonly used FOSS components in production applications and begins to examine them for potential vulnerabilities, which can inform actions to sustain the long-term security and health of open source.

Among the vulnerabilities identified by the study:

Inconsistent naming conventions. Perhaps the most pressing problem is the lack of a standardized software component naming schema. “Until one exists, strategies for software security, transparency, and more will have limited effect,” the report concludes. “Organizations will remain categorically unable to communicate with each other on the large-scale—particularly, the global scale—necessary to share such information.”

Security of individual accounts. Of the 10 most-used software packages in the analysis, the CII team found that seven were hosted under individual developer accounts; that is, these accounts were less likely to employ the same level of security measures (such as multifactor authentication) common among organizational accounts. According to the study, “changes to code under the control of these individual developer accounts are significantly easier to make, and to make without detection.” Individual accounts are also more vulnerable to being taken over by hackers.

Legacy code. In some cases, outdated legacy code remains in production even though improved code has been introduced. This can happen when the newer code has not yet overtaken its predecessor in terms of sheer usage. “Without this awareness,” the report reads, “and especially without processes and procedures in place to address the risks created by legacy FOSS, organizations open themselves up to the possibility of hard-to-detect issues within their software bases.” The infrequency of updates and examination by such highly used software can lead to security issues existing in the code base for more than 20 years, as was the case with PuTTY SSH.

From hobby to mainstream

Over the past 20 years, FOSS has moved from the domain of hobbyists and tinkerers to become an integral component of the modern economy and is a fundamental building block of everyday technologies.

The increasing importance of FOSS throughout the economy became critically apparent in 2014 when the Heartbleed security bug in the OpenSSL cryptography library was discovered. By some estimates, the bug impacted nearly 20 percent, or half a million, of secure web servers on the internet and allowed numerous data breaches, including the theft of 4.5 million medical records from a large hospital chain.

In response to Heartbleed, the Linux Foundation established CII, a project that helps support best practices and the security of critical open source software projects, raising millions of dollars for open source security in the last six years.

Public interest in FOSS security has renewed in the past few years as government agencies in the United States push for deeper insights into the software building blocks that make up various packages and devices via a software bill of materials. In April 2018, the leaders of the US Congress House of Representatives Energy and Commerce Committee sent a letter to the Linux Foundation, acknowledging the critical importance of FOSS and exploring related opportunities and challenges.

“The Census II report addresses some of the most important questions facing us as we try to understand the complexity and interdependence among open source software packages and components in the global supply chain,” said Jim Zemlin, executive director at the Linux Foundation. “The report begins to give us an inventory of the most important shared software and potential vulnerabilities and is the first step to understand more about these projects so that we can create tools and standards that result in trust and transparency in software.”

Working in collaboration with the software composition analysis industry and application security companies, including developer-first security company Snyk and the Synopsys Cybersecurity Research Center (SCRC), the Linux Foundation and LISH were able to combine private usage data with publicly available datasets, developing a methodology for identifying hundreds of the most used open source software projects—20 of which are detailed in the report.

Call to action

Tim Mackey, principal security strategist for SCRC, says commercial organizations can contribute to this project by conducting internal reviews of their open source usage and actively engaging with open source communities to ensure the security and longevity of the components they depend on.

Snyk co-founder Danny Grander, a veteran security researcher who heads the company’s security team, decided to lead by example and share data since “industrywide efforts like this are beneficial to improving the security and viability of open source."

Organizations and individuals interested in partnering with the Census II effort can sign-up here.

Given how quickly the digital world progresses, the project will evolve and continue to collect and analyze data to help support the continued health of the ecosystem that underlies the modern economy.

Frank Nagle is a professor at Harvard Business School and co-director of the Census II project. Jenny Hoffman is an assistant director of research management at the Laboratory for Innovation Science at Harvard.

[Image by: vasakna ]

Related Reading

What's your take on the vulnerability of open source software?

Share your insights below.

Latest from HBS faculty experts

Expertly curated insights, precisely tailored to address the challenges you are tackling today.

Strategy and Innovation

Social Responsibility

Diversity and Inclusion