When it comes to security, two major changes have happened within recent years. The adoption of blockchain, and the huge shift to open-source. Open-source and security seemingly go hand in hand. After all, if you have nothing to hide, why shouldn’t you allow people to view it.
Whether utilizing open-Source firewalls like OPNSense, or an open-source packet sniffer like WireShark, security firms that run their platform as transparently as possible seem to be leading the way.
This article will act as a guide to the world of open source security, including some of its misconceptions, pros and cons, finally concluding on some suggestions of how you could potentially improve your system’s security.
Is Open Source Security Tooling Better?
Open-source security and product quality don’t necessarily go hand in hand. Product quality is naturally driven by the company creating the software, the budget going into the project, and many other things. It’s important to remember that the world of open source has created an open marketplace for all kinds of applications.
And while that does have its advantages, it can lead to drawbacks such as ending up with a dependency on an open-source piece of software that is no longer used.
With this in mind, when considering an open-source provider, it’s important to consider the following:
- Who is creating the application
Is this a lone developer in his basement publishing some source code, or is your new security tool open-sourced by a real security provider that knows what they are doing? - Is there an active community?
One of the major benefits of open source technology is that there’s likely a community of users as well as the creators of the software always helping each other out. If you ever run into a brick wall during set up, the community can come in brilliantly - How many active issues are there?
When looking at open source software, you may be able to see a log of the open issues against the software. While a lower count is better, you should really be looking at the churn rate of how quickly issues are being resolved, to see whether the app is active, or whether it has been forgotten about by the creators.
The term ‘open-source’, at its most basic, is software that is freely accessible to the public, where users are able to openly modify and share information and code. Open-source Software (OSS), is software with source code that is available to the public to inspect.
The process of hiring a third party to develop your OSS has become increasingly popular to help increase exclusive code created in-house and quicken the process of time-to-market.
By using OSS, you are able to speed up the development of your application and bring it to market faster. However, there are obviously some risks involved with using third-party packages and open-source software such as potential breaches in security, etc.
In this article, you will learn about the different risks and how Open-Source security tools can ensure your site is protected from hackers, any malicious software, and other threats.
Know your dependencies
It is a good practice across the entire IT industry to know about the dependencies of your software. In the olden days, a master excel spreadsheet with a list of all software dependencies would be kept. However, with the sheer number of dependencies nestled into a single software solution in the modern world, as well as the dependencies of those dependencies, tracking becomes a laborious and arduous task, to say the least.
To assist with this, Software Composition Analysis (SCA) tools are available to help automatically identify those dependencies as they are added in real-time. These tools often provide a quick overview of your dependencies and will notify you if they are out of date, if they are deprecated, or sometimes they will even go as far as doing code analysis to find if those dependencies are even used at all.
SCA tools can be highly useful to any company, as dependencies within all codebases are growing exponentially, and ensuring that your software is as secure as possible is a constant battle; Any kind of composition analysis is useful, and an automated tool to provide that entirely for you is massive.
Open Source !== Secure
If you intend to secure your data yourself, it is a constant struggle to ensure your own code is secure. When using third party packages in your development process, it’s crucial to trust the vendor of your packages. There’s a misconception in the more modern tech world where people have started to assume that because you can see some source code online, you can assume that an entire dependency is secure. This couldn’t be further from the truth.
There is nothing preventing a source code repository in GitHub and the NPM package, (originally short for Node Package Manager), from being two completely different codebases. There’s a great example online where someone claimed to have put a package on line into both NPM and GitHub, the package only claimed to add the functionality of a shorthanded way to add color to the logged items in the console.
However, in actuality, the source code in the npm package logged every single keystroke on the page to an API. Giving the user the potential to get the username and password of every single user on the host’s website – scary stuff.
The best way to be sure your packages are secure is to only use trusted vendors – Do you really need an unknown external library to make a uniform way of sending API requests, or could you implement that yourself or use some of the trusted vendor’s packages depending on the technology your site is built-in (such as Axios for react developers).
Overall, there are a multitude of factors to consider when securing source-code. Hopefully, this article has equipped you with at least some base knowledge of how to secure your code, along with some helpful information. Enabling security monitoring is a crucial element of modern technology, and with so many available open-source security tools available, finding the security that works for you should be easy.
