The pros and pitfalls of security for open source

Mar 19, 2020

opinion_blog

Open source software (OSS) presents both a risk and an opportunity when it comes to information security. It is very different from handling proprietary, closed-source software and services, where consumers have no choice but to unconditionally trust the vendor to do the right thing. Relying on vendor assurances alone has often proven unreliable.

With OSS, however, the vast ecosystem of contributors, methods and software components allows for rapid development and quick time to market, as well as a valuable feedback channel. OSS doesn’t actually improve security by publishing code alone, but by building a community that helps enforce transparency and continuous improvement. 

It can also be hard to predict the operational risks of some OSS components. Maintenance for more niche components may come to an end, for example, or maintainers go rogue. This is why it’s essential to monitor sources closely and evaluate their maturity. You can also use automated tools to check for known security issues on external components and update them when necessary. Agile methodologies make it much easier to do this efficiently and build security awareness into the daily routine of an organisation.  

Components aren’t the only OSS security consideration. Many organisations use third-party sources to set up their service infrastructure, for example, pulling Dockerfiles from a public repository. This introduces the same risk at a different level, as malicious code could get injected right to the core of the development or service operations lifecycle. 

Deploying locked-down, unmonitored and outdated IoT devices across an organisation is another disaster waiting to happen. Even if the software running there is usually OSS, the user is fully dependent on the vendor to take care about patching vulnerabilities – and, we now know that security is not part of most suppliers’ business models. 

Open-Xchange encourages users to provide direct feedback on security issues within OX products, including external components that are being used.  We aim to maintain a very low barrier of entry to do so and compensate security researchers through our ‘bug bounty programme’, as well as professional penetration tests. And, of course, being part of the OSS community works both ways – at the same time Open-Xchange looks out for vulnerabilities in external components and reports them to the affected projects. 

 

About the author

Katie Smid

Katie Smid

Senior Business Development Manager

Categories

Related Articles

Move your email from a cost center to a profit center

More than half of the world’s population – 4.2 billion people – now uses email, with this number predicted to increase to...

Errol Vanderhorst Jul 25, 2023

Super-Charge Your 5G Network by Moving DNS to the Edge

The number of 5G subscribers is expected to exceed 580 million by end of 2021, with 3.5 billion subscribers predicted in...

Neil Cook Mar 8, 2022

European Digital Sovereignty and Open Source

The negotiations around the Digital Markets Act – the new European regulation that aims to restore competition and promote...

Vittorio Bertola Feb 22, 2022

Email resellers and hosting companies are letting their...

Being able to offer customers a wide portfolio of products and services allows email resellers and hosting companies to...

Antonella Foti Feb 9, 2022