The pros and pitfalls of security for open source

Mar 19, 2020


Open source software (OSS) presents both a risk and an opportunity when it comes to information security. It is very different from handling proprietary, closed-source software and services, where consumers have no choice but to unconditionally trust the vendor to do the right thing. Relying on vendor assurances alone has often proven unreliable.

With OSS, however, the vast ecosystem of contributors, methods and software components allows for rapid development and quick time to market, as well as a valuable feedback channel. OSS doesn’t actually improve security by publishing code alone, but by building a community that helps enforce transparency and continuous improvement. 

It can also be hard to predict the operational risks of some OSS components. Maintenance for more niche components may come to an end, for example, or maintainers go rogue. This is why it’s essential to monitor sources closely and evaluate their maturity. You can also use automated tools to check for known security issues on external components and update them when necessary. Agile methodologies make it much easier to do this efficiently and build security awareness into the daily routine of an organisation.  

Components aren’t the only OSS security consideration. Many organisations use third-party sources to set up their service infrastructure, for example, pulling Dockerfiles from a public repository. This introduces the same risk at a different level, as malicious code could get injected right to the core of the development or service operations lifecycle. 

Deploying locked-down, unmonitored and outdated IoT devices across an organisation is another disaster waiting to happen. Even if the software running there is usually OSS, the user is fully dependent on the vendor to take care about patching vulnerabilities – and, we now know that security is not part of most suppliers’ business models. 

Open-Xchange encourages users to provide direct feedback on security issues within OX products, including external components that are being used.  We aim to maintain a very low barrier of entry to do so and compensate security researchers through our ‘bug bounty programme’, as well as professional penetration tests. And, of course, being part of the OSS community works both ways – at the same time Open-Xchange looks out for vulnerabilities in external components and reports them to the affected projects. 


About the author

Katie Smid

Katie Smid

Senior Business Development Manager


Related Articles

The "Sign-in with Facebook" problem and the open source solution

An effort has started to create an identity management platform that works just like those of the OTTs, but empowers the...

Vittorio Bertola 09/2/19

European Digital Sovereignty and Open Source

The negotiations around the Digital Markets Act – the new European regulation that aims to restore competition and promote...

Vittorio Bertola 02/3/22

Open-Xchange for open, interoperable messaging services in Europe

Sending an instant message or chatting over the internet is a very common experience for all of us. Every day, dozens of...

Vittorio Bertola 07/5/20

Despite this week’s quasi-competitive shift, Slack won’t replace...

Slack announced this week that it is adding email conversations and calendar integration functions to its app, including the...

Rafael Laguna 05/5/19