n

n

n

Drexel University’s Online MS in Cybersecurity

n

The onlinennMS in Cybersecuritynnat Drexel utilizes the College of Computing & Informatics and College ofnEngineering’s network of professionals to give students access to the latestnresearch, tools and insights, and prepares students to meet the workforcenneeds through rigorous academic and experiential practical training.nnLearn more!nn

n

nn

n

nn

n

nn

n

nn

n

Open Source and Supply Chain Risk

n

Although certain vendors of closed-source enterprise software continuento dominate the market, the view of many recent reports is that the usenof open source is growing and will continue to do so for the foreseeablenfuture.

n

nn

n

nn

n

nInnnone examplenn, the view is that a global open source market of $27.7billion in 2023 willngrow at around 18% a year on average, almost tripling by 2028 ton$75.2billion.n

n

nThis feels like a good thing, until we consider the elephant that wanderedninto the room a few years ago – supply chain security. Previously not reallynthought about all that much, a series of supply chain hacks in recent yearsnhas brought the concept to the front of all of our minds and has forced usnto focus on the security of our suppliers and the upstream entities on whichnthey depend.n

n

nWhat does this growth in open source mean to us? If reputable companies likennSolarWindsnn– commercial producers of globally respected software – can fall victim tonworrying hacks, surely adopting open source in our organizations is a recipenfor disaster? Here we have software that could have been written by anyone,npotentially published on the servers of companies we might not have heardnof. How can we have any confidence at all in software whose provenance isnnot always certain and potentially a long way from the big, commercialncompanies we (mostly) trust?n

n

n

n

What Is Open Source?

n

n

n

nThe first part of the answer is to consider what we mean by open sourcensoftware. Red Hat made an interesting distinction in its 2022 reportn“ThenState of Enterprise Open Source”, where it demarcates clearly betweennwhat it calls “Enterprise open source” and “Community-based open source”.nAnd it’s a valid point: open source doesn’t simply mean “random and a bitndodgy” – it means that the code behind the product is available for you tonsee. Just because something is Open Source doesn’t mean it isn’t produced byna reputable company, with robust testing, decent security, proper upstreamnsupply chain security, and so on. A quick look at Datamation’s list of then“Topn20 Open Source Software Companies” reminds us that the open source worldncounts among its most prominent members the likes of Google, Amazon, IBM,nIntel, Microsoft and Oracle. Open source most certainly isn’t automaticallynsubstandard, then, particularly in the commercial products it underpins.n

n

nSo, what about so-called “Community-based open source”? Surely somethingnwith less control over its content, and no corporate oversight, controls andnthe like is more susceptible to a bad actor injecting something nefariousnwhich we all then unwittingly download and use? Well … no. Or, at least, notnnecessarily. Take as an example what’s easily the biggest ongoing opennsource project in existence – thenncontinuous development of the Linux kernelnn. Around 15,000 people have contributed to the kernel over the years, withndevelopment overseen and coordinated by Linux creatornnLinus Torvaldsnn. One would think that such an approach is fraught with risk – one bad-actorndeveloper and the kernel’s security is compromised.n

n

nBut no – the opposite is in fact true, because of the very nature ofncommunity-based open source development. A massive band of developersnequates to a massive number of people who scrutinize new code snippets. Whenna developer “commits” (uploads) a new piece of code, Torvalds doesn’t simplynhit “Build” and it’s in the kernel. Instead, the developer community willnlook at the new change, consider whether it’s the most efficient it couldnbe, look for bugs, and so on. The finest brains in the land look at thencode, and the chances of a piece of malicious code finding its way into thensoftware are in fact very low indeed.n

n

nOf course, this doesn’t mean that all open source code, particularlyncommunity-built stuff, can be relied on – it would be unreasonable to thinknthat the total number of compromised open source applications is zero. Afternall, one of the most common reasons many open source zealots use when tryingnto get us to use such software is: “But the code’s right there for you tonlook at, so you can see under the hood at how it works” … which is true, butnwho has the skills to do so, and does anyone ever bother? Just becausenpeople can do something, this doesn’t mean they do it.n

n

n

n

It’s a Matter of Risk

n

n

n

nDue to this, we wind back to the core principle of cybersecurity: anrisk-based approach. Should one have a high degree of confidence buying,ndownloading and installing one of the commercial Linux operating systems?nYes, of course – not least because part of what you’re buying for a fewnhundred dollars is the assurance of proper testing, security scrutiny andnthe like. But what about free stuff like, say, the Apachennweb servernnor Tomcat? Again, the ApachenSoftware Foundation is reputable, its software reliably used globally. Atnthe other end of the scale, though, would we trust a piece of software thatnsomeone we’ve never heard of has put in the public domain via a web sitenwe’ve not really heard of either? Of course we wouldn’t! Our instinct doesnthe risk assessment for us and tells us at the very least to look under thenhood or ask around to understand the risks.n

n

nIn reality, then, the primary cyber risk in an open source world isn’t thenfear of an attacker injecting malicious code into something we buy, downloadnand use. No: the biggest threat is the simple old problem that even the bestncode has bugs (if it didn’t, things like Patch Tuesday wouldn’t exist).n

n

nSo, the greatest risk is, and always will be, unwitting vulnerabilities thatnwere introduced by developers and not picked up before the release happened.

n

n
• ISC2 has an online training module focused on Supply Chain Security. Find out more here.
n
• ISC2 also has an online training module on Supply Chain Risk Management (SCRM) through Governance, Risk, and Compliance (GRC). Find out more here.
n

]]>