Open source is a godsend for developers, but sometimes a curse. How secure is open source code today?

We return at the end of 2021. The world stood still for a moment, and it wasn’t just because of Covid-19. Log4j, a logging system used by millions of Java-based systems, contained a vulnerability. “A programming error allowed hackers to execute their own malicious code via Log4j and even connect to an external server to download malware from there,” says Dirk Deridder, Director IT Infrastructure, Systems, Services & Support at Smals.

Almost no one was immune. Those affected by the error included Apple’s iCloud, services from Cloudflare, Amazon, VMware and IBM, Twitter and the gaming service Steam. Please note: Fortunately, thanks to additional security measures, attacks were stopped.

What made this complex? As a Log4J developer, Apache provided a patch for the zero-day, but that wasn’t enough. Finally, many companies use third-party software with Log4j embedded. They had to wait until all of their software vendors had implemented the Apache patch and then roll out the update themselves.

The Log4j case was a worst-case scenario where open source fell by the wayside. Deridder: “Everyone who works with open source has a powerful tool. As long as you are sufficiently aware of this power.”

transparency

An open source environment is based on transparency: the code you share is visible to everyone. This has a positive impact on the quality of the code. Developers are reluctant to share inaccurate code because they run the risk of it being corrected or slammed with criticism. The open character ensures quality.

“With open source you work with different people, but not within a company. This means that you are obliged to adhere to certain standards so that a vendor lock-in has no chance,” says Deridder. These open standards provide a high level of portability and allow developers to use the same code on different platforms.

Security

Although open source is a community full of developers who share the same goal, this does not mean that it is immune to external threats. The ultimate responsibility for the code lies not with the person distributing the code, but with the end user who adopts the code.

“A volunteer developer who shares code in their free time cannot be expected to have the resources to detect malicious code or practices,” says Deridder. It is therefore the responsibility of the end user to examine the copied code for malicious elements, although this is not always possible with tens of thousands of lines of code.

Open source has become so commonplace that it isn’t talked about enough.

Dirk Deridder, Director of IT Infrastructure, Systems, Services & Support at Smals

Deridder sees major challenges for the open source concept as the number of cyber threats increases. Hackers are increasingly focusing on open source projects, which brings new challenges. “But I look at it positively, this could be the electric shock needed to get open source back on the radar,” says Deridder.

SBOM

At Smals, Deridder always attaches importance to the SBoM, the “Software Bill of Materials”. “You can think of it like a software ingredients list. It is a list of all components, libraries and frameworks used in a particular software product.”

The SBoM also often contains important information such as component versions, licenses, and known security issues. “An SBoM is valuable because you know what software you have in the company.”

According to Deridder, this will allow companies to automatically better manage and secure their products. Various regulations and standards often require such an SBoM. A final added benefit is better cost efficiency as you know what is available where. A better overview ensures faster solutions, which saves costs.

Nano communities

“In theory, open source is the safest code because the whole world can see it. Unfortunately, this is a dream. “The reality is that for the hundreds of millions of packages, there aren’t enough people in the open source community to fully understand everything,” says Deridder.

He describes Linux as a bastion with strong leaders. “The story there is true, but at the same time there are tens of thousands of others who are also building something, releasing the code into open source because it served them, and leaving with peace of mind. They often deal with nano-communities. That’s the Achilles heel of open source.”

Deridder lives open source and wants to promote this message as widely as possible. “At Smals we promote the use of open source and have developed our own micro-community called ReUse.” There, commonly used code for government agencies is “recycled.” Smals recently launched an improved website where you can find a constantly updated catalog containing a hundred reusable components: APIs, systems, libraries and products.