“Is Open Source Software Secure?”
By Scott Hamilton
Last week I wrote about the major upheaval in the open source software community over the decision made by RedHat to restrict access to its operating system source code. This raised some questions in my mind about the security of open source software, especially in regards to its widespread use in high security government facilities. What is it that makes open source software safe for use in high security environments?
You don’t have to take my word for it. The US government Cybersecurity and Infrastructure Security Agency (CISA) has a complete division dedicated to ensuring a secure open source software ecosystem. As it turns out, all levels of government have become critically dependent on open source software (OSS) as opposed to commercial off the shelf (COTS) software. There are a couple of reasons for this dependency, in no particular order. One is the cost of software licensing in government facilities. Currently the federal government employs about 4.5 million personnel, including one million military reservists. Imagine the cost of providing every employee even a ten dollar a year software license for e-mail, as an example. Most federal agencies utilize sendmail, which is OSS, over Microsoft Exchange server at $12 per user per month. The savings on e-mail services alone equates to over $45 million a month.
Believe it or not, cost is not the driving factor for most decisions to utilize OSS. The main driving factor is the ability to customize and control the software as needed. Just like you would not expect to be able to change the engine in your car every day, you cannot expect COTS software companies to modify software to meet your exact needs. However, if you are using OSS software and want or need an extra feature, or for a feature to work differently, you have the freedom to modify it. You can change any aspect of the software as needed. This is a very big deal for government facilities.
The best example is when it comes to cryptography libraries. We use cryptography every day when we access the Internet. You use it for online banking, logging in to your e-mail accounts, and even while searching on Google or Bing. Anytime you notice the URL (Address Bar) in your web browser display a lock and the letters https before the address, you are using cryptography to encrypt the information you share with the site and the site shares with you.
Most websites use industry standard cryptography libraries with RSA or TLS technology. Both technologies rely on the exchange of keys (or secrets) between the host and site, and use these shared secrets to make sure no one without both secrets can read the information in transit. However secret level communications over the Internet utilize customized keys and libraries to make it nearly impossible for the messages to be intercepted and deciphered. The ability to replace these technologies in the OSS software is critical to national security.
As the dependency on OSS increases in government, CISA has inserted itself in the OSS community to supply guidelines and monitor development efforts of critical software components. CISA has four main goals in its OSS security road-map. The first goal is to actively support the community by engaging with OSS developers and teams. The second is to drive the visibility of OSS projects within government agencies. The third is to help reduce the risks to the federal government by providing guidance for federal agencies and drive federal actions in OSS security. The fourth and final goal is to harden the OSS ecosystem, which boils down to traceability of the software supply chain, ensuring that they know the originating source of all critical components in the ecosystem. If you would like to learn more about the efforts of CISA and the cooperative agreements with the OSS community, a great place to start is https://www.cisa.gov, in particular the paper at https://t.ly/yXcjq. Until next week stay safe and learn something new.
Scott Hamilton is an Expert in Emerging Technologies at ATOS and can be reached with questions and comments via email to sh*******@te**********.org or through his website at https://www.techshepherd.org.