Possible uses and risks of open source software - These 6 aspects you should consider when using it!
by Svenja Koch
Companies like to use open source software (OSS) especially for certain functions outside the central systems. However, the use of such software does not only have advantages. When there is a risk of cyber attacks that can be traced back to the use of open source software is just one aspect that is highlighted in this blog post.
What is Open Source Software?
OSS are programmes where the manufacturer has published the source code. Everyone therefore has the opportunity to view this code. This also opens the way for changes to the source code, which is explicitly desired in open source software. The users themselves are often the driving forces behind the further development of this type of software. It is also part of the rules that changes and further developments also fall under the open source licence. Thus, these adaptations can also be used freely and the code must be publicly accessible.
Furthermore, OSS is usually free of charge and can be used in the company without restriction. There are no restrictions on use with this form of software. Accordingly, copying, distribution and use are permitted without restriction. Many well-known programmes are published under an open source licence. Examples include the office software Apache OpenOffice or the database software MySQL, which is frequently used by companies.
1. Possible uses of open source software
The range of OSS covers all conceivable areas of application. This starts with operating systems such as Linux and extends to applications for very specific tasks, such as Elasticsearch for setting up a search engine. In some task areas, this form of software has become established. This is the case with web servers, for example. The Apache HTTP Server is one of the most widely used web servers. LibreOffice and other open source office software is predestined for use in companies. For access to the internet, many also use open source software, for example Firefox or Chromium, sometimes unconsciously. Smaller companies in particular like to use this type of software, as no licence costs are incurred. Accordingly, the use of OSS is firmly anchored in many companies. A study in 2019 found that around two-thirds of the German companies surveyed use open source software.
2. Advantages of using open source software
There are some clear advantages to using OSS, which are particularly interesting for entrepreneurs. The first and decisive point is free use. Licences for software products are often expensive, especially if commercial use is planned. Then the costs increase with the number of installations. In addition, many commercial software products incur annual licence fees. With open source software, all these licences and costs are eliminated. The programmes can be installed as often as desired and used without restriction.
In many situations, the high quality of these programmes also speaks in favour of OSS. In some cases, these products are so good that they have displaced other commercial software products and have a virtual monopoly. This is the case, for example, with the Apache web server and also in the area of operating systems, Linux as an open source platform offers all the functions that companies need in everyday life.
The large communities behind many of these open source software products are another plus point. Thus, many developers drive the progress of the software. On the one hand, this ensures that new, helpful functions are incorporated into the software. On the other hand, thanks to the open source code, errors are noticed more quickly. The communities often correct such weaknesses or malfunctions quickly. Thus, open source software products convince with a high degree of reliability and professionalism. In some cases they surpass commercial products in this respect, which depend on the responsible developers putting the necessary work into improvement and optimisation.
3. The IT security risk when using open source software
There are also negative aspects and risks when using open source platforms. It is important that companies are aware of these points before they make the decision to rely on an open source infrastructure.
One of these points concerns support. Commercial software intended for business use usually has good and direct support. This often includes individual assistance or even support in the development of special components. In the case of OSS, official support is lacking in many cases. Although there are sometimes forums and communities in which development is discussed and help is also possible, these are enthusiasts and private individuals. In certain cases there are exceptions, for example with the Linux distribution Red Hat. Although this is based on open source, it still offers professional support via a subscription model.
In the event that no support is available, the IT department is called upon to seek help on these platforms. This may involve an enormous amount of work. The same applies to liability. If cyber attacks occur via IT security vulnerabilities in an open source platform, there is no assumption of liability for the damages on the part of the publisher.
4. Legal aspects worth knowing
A look at the licence conditions is also advisable. After all, open source does not mean that users do not have to abide by any rules. In the worst case, companies are liable for damages or face injunctions if they violate usage restrictions. In this context, copyleft in particular plays a central role. Copyleft gets its name from copyright, i.e. the protection of intellectual property. OSS often uses this licensing model. Copyleft stipulates that further developments, improvements and other changes to the software also fall under the same, basic licensing conditions. In practice, this means that companies that make adaptations to an open source software via the open source code must also make these further developments publicly available.
5. Good to know: The management of open source platforms
Another print that can become an IT security risk if neglected concerns the management of open source platforms. In the area of licence software, Software as a Service is also so popular because the service provider and supplier of the platform takes care of all the tasks. This includes updating the software as well as controlling potential cyber attacks. However, if a company uses OSS locally, all this falls within the remit of its own IT. First and foremost, this includes monitoring the up-to-dateness of the software. In addition, with open source software this makes for increased effort. Commercial software usually works with an update schedule. For example, an update package then appears once a month on a fixed date. This makes it easier for the IT department to plan update processes. With OSS, updates often appear irregularly and without a schedule. In some cases, these updates close IT security gaps that hackers use for cyber attacks. For this reason, timely updates are important, otherwise the platform becomes an IT security risk.
This means that the IT department must closely follow the development of the OSS platforms used. This increases the workload and practice shows that employees quickly neglect such tasks. It also requires IT staff with experience in managing platforms. Staff not only ensure that the OSS platform is always up to date and does not pose an IT security risk, but also control the compatibilities. This is important for the integration of open source into the existing IT landscape.
6. Open source code - open door for malware?
There are always concerns about the open source code in this type of software. The argumentation boils down to the fact that attackers find it easy to smuggle in malware and thus launch cyber attacks.
Fitting to this aspect, heise.online reported a few days ago about a security leak Thunderbird: The still quite new OpenPGP implementation of the mail programme stored the secret keys in plain text on the user's hard disk. This meant that the master password intended for protection was not used. Attackers would thus be able to read all encrypted mails in the future or even digitally sign their own mails with the identity of the victim.
The danger of risky IT security vulnerabilities in the software is reduced by the fact that open source ensures transparent structures, so that manipulations are usually quickly noticed. This is especially true for large and active open source projects such as Firefox, the Linux operating systems or OpenOffice. This software has such a large and active community, which is also managed by non-profit organisations, that there is no IT security risk from the software itself. In the case of Firefox, for example, the Mozilla Foundation is behind the browser and manages updates to the software, so that cyber attacks via manipulated programme components are ruled out.
A real scenario, on the other hand, is the so-called dead-end fork effect. This is when an open source project is abandoned by the community. With commercial software, the user always has the guarantee that support and functionality will be available for the duration of the licence. This is not necessarily the case with open source platforms. This danger is particularly imminent with smaller, less well-known open source platforms. Then updates no longer appear, so that cyber attacks pose a danger due to any security gaps that may occur. IT security risks and potential cyber attacks due to the dead-end fork effect can only be avoided if the company as the user continues the project itself or changes the platform immediately. Companies must take such situations into account as part of risk management and plan for fallback options. Otherwise, a sudden dead-end fork effect can threaten IT security and the company's ability to act.
In principle, there is nothing to be said against the use of open source software at the enterprise level. The prerequisite is an evaluation of the specific software as well as precise planning and strategy. Otherwise, the platform becomes an IT security risk and thus favours the danger of successful cyber attacks.
In order to adhere to compliance rules, it is important to know exactly the licensing conditions of the individual software. Otherwise, OSS quickly becomes an IT security risk for the entire company. Violations of licensing regulations such as copyleft lead, in the worst case, to lawsuits that cost the company dearly.
The prerequisite for the wider use of OSS is an appropriate security strategy. In this context, a uniform approach is developed that is used to test each individual open source solution. This includes the development of an open source compliance that takes into account all risk factors. Part of such a strategy is also the assessment of the extent to which the software poses an IT security risk or whether the platform is vulnerable to cyber attacks.
However, without responsible people in one's own IT department who have the appropriate knowledge and the resources to maintain such open source solutions, it is difficult to consistently implement such a strategy. If this basis is missing, OSS quickly becomes an IT security risk and serves as a gateway for cyber attacks.