By Paul Brennecker, Senior Information Security Consultant & Principal QSA
There is something of the Tim Berners-Lee about open source software. Unlike proprietary software, where the code is a jealously guarded secret, open source software codes are available to everyone. With altruism redolent of the creator of the World Wide Web, there are individuals who produce programs where the source code is made freely available so that others can copy it, learn from it, alter it, or share it. But does this very open-ness by definition make the programs more vulnerable to attack?
The answer to this, perhaps surprisingly, is no. Attackers are highly skilled and are perfectly capable of exploiting the vulnerabilities of both closed and open source coded programs in almost equal measure. A closed source code may be secret but that simply presents them with a challenge which they relish. It is also important to remember that it is usually easier to be destructive than creative.
Software developers only need to make one security-relevant mistake anywhere in their code, while attackers only need to find one weakness. Moreover, the security problems of programs are often already known. They are often identified by the very people who wish to defend them in order that they can protect themselves. Attackers use the same techniques to try to find those problems and exploit them.
One approach is for attackers to run the program, send it flawed data and ascertain whether the program’s response indicates a common vulnerability. Because they are looking at data and not code, there is no difference between open and closed programmes.
Another approach is to search the source code for patterns. Even closed source software, however, is vulnerable because they can search the machine code for patterns that suggest security problems. Attackers use tools known as ‘decompilers’ which turn the machine code back into source code. They then search the source code for the vulnerable patterns. If an attacker wants to use source code to find a vulnerability then they can use a disassembler to re-create the source code of the product or use a binary scanning tool. This applies to closed as well as open source code.
Even the giants of the internet are not immune to source code theft by determined attackers. Microsoft has had some parts of its source code stolen several times; both directly from itself and also from another company it shared data with. What is more, there are disaffected employees who, for their own reasons, release proprietary code details.
Sometimes closed source code programs are actually more vulnerable. For example, Trojan horses can be inserted into proprietary code and, by its very nature, they are less likely to be found than in an open source program. This is because no one outside the organisation is able to review the source code. An added advantage of open source is that if an issue is found, it can be fixed immediately.
Open source code is not necessarily any more vulnerable than proprietary code. Providing a robust defence from malicious attack has little to do with code and a lot to do with accessing the correct level of expertise. Using an industry-respected team with the range of knowledge and practical experience of the complexities of the cyber environment is the best form of defence.