Open to abuse? Software that rules the world – Palatinate


By Sarah Kuszynski

Open Source Software (OSS) has revolutionized the technology industry. Often touted as a panacea by technology evangelists, OSS has become increasingly ubiquitous – with some of the most widely used and well-maintained OSS software including WordPress, Mozilla Firefox, Ubuntu and Audacity. The open source market is also growing, and DigitalOcean predicts that it will exceed $32 billion in 2023. Yet, unfortunately, the story of OSS is not that simple, it has various drawbacks which developers and non-technologists should be aware of.

The term “open-source” describes software available under an open-source license that allows source code to be shared and allows anyone using the licensed code to modify it as needed. The antithesis of OSS is called proprietary software, where the underlying code is usually kept “secret”. The main reason for producing proprietary software is to make it easier for companies to monetize their work and thus bind companies to the continued use of specific software. For many small businesses, proprietary software can seem like a very rigid and expensive option.

In contrast, the open source community argues that OSS is cheaper, more reliable, and more secure than proprietary software, as increased transparency should mean any flaws in a program can be quickly detected.

Open source code and software have additional benefits for software development. First, it increases the likelihood that solutions to common problems are readily available and easy to access. As a result, developers are more likely to be able to focus their resources on finding solutions to more unique problems. This has the advantage of reducing implementation costs. Reducing the cost and time it takes for teams of developers to deliver solutions is especially important in an industry as fast-paced as technology, where delays are at risk of being overtaken.

Clearly, OSS is at the forefront of accelerating innovation, improving efficiency, and democratizing data. However, this does not mean that open source inherently produces more reliable and secure software.

First, there is the issue of vulnerabilities. Although many developers can do a light job of debugging code, when a bug goes unnoticed, the prevalence of some open source code is likely to create a systemic problem. As Patrick Howell O’Neill said, “open source code runs on every computer on the planet.”

Along the same lines, the ease of access to source code makes targeting free software both a tempting prospect and a high priority for hackers. Flaws in open source software are therefore more often attacked than proprietary software. Backdoors in open source code left behind by malicious actors can also escape detection, and hackers can more easily access commercially used code, insert lines of malicious code, and exploit unpatched vulnerabilities.

The lack of incentives and adequate remuneration for the production and maintenance of essential free software is a deep flaw

The “Log4J” project, an open source tool used to “log” activity in software, illustrates the problem above. It supports large parts of the Internet and applications such as iCloud. Yet last year a vulnerability was discovered, described by the director of the US Cybersecurity and Infrastructure Security Agency, as “one of the most severe”, putting billions of devices at risk. Subsequently, the Log4J flaw was targeted by malicious actors located in Iran and China, who theoretically could have taken control of web servers and critical infrastructure systems for monetary and purely disruptive purposes, simply by sending a malicious character string to a vulnerable machine.

This security dilemma is fueled by the volunteerism that underpins much of the openness[1]source community. An open source engineer from Google pointed out that “it’s extremely common, even for basic infrastructure projects, to have…a single maintainer who doesn’t get paid to work on that project.” This was characterized by an OSS project called “ua-parser-js” whose developer abandoned. The software has been used by big tech companies like Google, Amazon, and Facebook, but the project itself only made $41.61. The lack of incentives and adequate compensation for the production and maintenance of vital free software is a deep flaw in the open source model.

Finally, and perhaps counterintuitively, it can be argued that the OSS has made source code less transparent, with such a wide range of software projects that the identity of contributors is often obscured, so accountability software defects is an ongoing challenge.

It is clear that the OSS is embedded in popular and fundamental software. To mitigate the associated security risks, organizations should ensure that sufficient resources are allocated to the maintenance of software to support the entrepreneurial nature of the open source community without becoming dependent on volunteerism ensure that software that keeps afloat much of our modern world is trustworthy and secure

Image: generated by OpenAI’s Dall-E 2


Comments are closed.