Open Source’s Impact on Cybersecurity
- by Justice Levine
Open-source software rose to popularity at a time when the Internet was just being formed - Amazon and eBay were just coming online, and issues related to security and credential theft were primary concerns.
Guardian Digital CEO and founder, David Wreski, was able to develop applications that provided the privacy and protection that organizations needed using Open Source much more securely and cost-effectively than the proprietary alternatives at the time.
Now, vendors are feeling pressure from consumers to be hyper-transparent with data collection and vulnerability disclosure, and security weaknesses. Open Source provides that transparency. But more has to be done. Organizations have to work with vendors to encourage greater collaboration between the communities.
This article will introduce some tips organizations can follow to utilize the benefits of the open-source development model to proactively protect their users and their assets.
Guardian Digital's Philosophy on Email Security
Open Source is built upon supporting creativity and the developer community, a value that is also extremely important to us at Guardian Digital. Behind every product, there is a story of how it came to fruition: an emerging engineer introducing his work to the world; developers working collaboratively to create a new development paradigm where only the best software survives; a seasoned programmer helping small businesses improve productivity and decrease costs.
Guardian Digital is the sum of these stories, where we build a community of passionate users who love and can relate to these stories behind our products. Our goal is to grow our open-source family as well as a strong following of customers who celebrate the open-source development model and find comradery with other inspired developers aiming to create a better internet.
As a new age of business emerges, our commitment to developing the leading edge in email security solutions remains intact, as well as our promise to maintain a remarkable experience for our customers, a work environment for team members, and an online and offline space that celebrates innovation, and inspiration to our community of developers, users, and security experts.
Impact Of Using Open Source Software On Cybersecurity
Experts are readily able to gauge risks associated with open-source, as installed code may sometimes have bugs that are then integrated into enterprise software. This effectively creates vulnerabilities and risks of data breaches for the organization, its customers, and partners.
Threats of IT attacks brought on by the pandemic have resulted in an increasing number of cybersecurity professionals leaning on Open Source and how it can be a resource for protecting customers while staying ahead of security issues. By implementing open-source software, your company will minimize development costs while freeing developers to focus on other tasks. Open-source software is also cost-effective and its code is easily opened should a problem arise instead of waiting for a vendor.
Open-source threat intelligence is a widely adopted and effective tool that helps to identify risks and growing threats to safeguard the valuable data assets of your organization. Thanks to developments and advancing computer technologies, open-source threat intelligence continues to recognize vulnerabilities in every industry.
Open Source In Cybersecurity
Open-source tools have become widely used across IT operating systems, application infrastructure, development, and other vectors. Open Source as a security tool has yet to be properly recognized in the cyber defense realm. However, the time has come for cybersecurity professionals to take another look at the role Open Source can play in defense. Affordable and unified software can play a big role in the face of a cyberattack, as well as play a role in protecting business email.
If you have more security products, you will also need more time, effort, and personnel to invest in management. Consider a set of open-source tools that are specifically designed to block threats such as ransomware and others. A basic security stack should be able to:
- Visualize attacks: Map entire networks from a single location, as well as interconnectivity to identify lateral movement.
- Simulate attacks: Prepare for attacks with practice fire drills. Using data in black hat databases to simulate how ransomware could spread during an attack, defenders can prepare and reduce the damage from such attacks.
Cybersecurity experts can quickly gauge risks associated with open source. For example, a programmer might accidentally implement faulty open-source code into an enterprise software application. This may leave the organization, its customers, and partners vulnerable to data breaches. As open-source becomes more common in professional settings, collaborating on product integrations and threat intelligence as a security vendor becomes more of a necessity.
Open Source in Security Defense
Cyber thieves operate in collaborative groups, as should companies. The current operation of cybersecurity is in the silos of many companies that all depend on the same single provider for each application they use. Open Source enables companies to collaborate and share while development extends beyond any one company to the entire open source community. This includes researchers and institutions, all looking at the same code and improving it. Wreski said, “Open source is a superior vehicle for developing secure applications.”
Cybersecurity professionals are increasingly understanding the importance of open source and using it to protect customers to stay ahead of cyber threats. Not only does adopting open-source reduce the overall cost of development, but it also provides additional features. Each organization may not have the skills internally to fix any issues or adapt them to their particular needs, but the code is still available to provide to developers on behalf of the organization. “Open source allows organizations to gain access to developers and cybersecurity experts beyond the bounds of any one company,” said Wreski. Organizations relying on proprietary vendors for their applications also rely on them to disclose vulnerabilities on their schedule, then deliver fixes to you in a reactive manner. Guardian Digital’s EnGarde email security program is a testament to the benefits that come from implementing an Open Source approach.
Making Open Source Software More Secure
As more users begin to rely on open source, industry and government must also come together to establish universal standards for security, maintenance, provenance, and testing. This will help to ensure national infrastructure and other important systems can rely on open-source projects. Standards must be agreed upon through a collaborative process, emphasizing frequent updates, continued testing, and verified integrity. The open-source community has already begun to make strides, such as The Open Source Security Foundation (OpenSSF) which is already working across the industry to develop standards.
Technology companies are donating $30 million toward a two-year goal to bolster software supply chain security after a follow-up of the White House summit, convened by the National Security Council. This is a part of larger efforts within the industry to restore imbalances that some officials feel have led to security problems in open-source. This funding from tech companies is sizable unlike previous investments but ultimately pales in comparison to the cost of remediating the cost of a major vulnerability. These summits are crucial to helping the industry strengthen the security of the software supply chain.
Leveraging Open Source Can be Powerful for Cybersecurity
Cybersecurity falls short in teamwork and communication as vendors and end-users rarely communicate as a broader force. While innovation may happen for individual products, it may show through a client’s work. Customers are hurt by an incomplete landscape of security that can create gaps that threat actors may be ready to exploit. Moving forward it is of the utmost importance that end-users and vendors develop a window of communication to avoid creating vulnerabilities.
Across the technology industry, ranging from operating systems to applications and data management, there are opportunities for Open Source innovation. Today nearly 70% of users run Linux, an open-source operating system, while over 40% of applications and data projects also use open-source.
The complex issues that cybersecurity professionals face today are similar to the data center management issues faced in the past. Guardian Digital CEO Dave Wreski reflects, “As a former engineer at UPS, I found an easier way to develop open-source security applications than the proprietary alternatives at the time.” Open security opens doors into an entire community at your service when previously there was only the option of trusting the vendor, your own developers, and security experts. Universities and researchers are also looking at the same code and attempting to make improvements, sharing and identifying problems to fix them sooner than could be done in-house.
The Next CyberSecurity Frontier
Four dimensions comprise open security:
- Open standards to facilitate interoperability between security tools.
- Open-source code to fill gaps in security products and to create new capabilities
- The use of analytics and threat intelligence, as well as sharing of best practices.
These elements come together to tear down security solos while enabling the industry to more rapidly innovate and source ideas from the community.
Open security means that enterprises will have other options and won’t have to continue relying on one single supplier. Justin Youngblood, vice-president for IBM Security, said at the IBM Security Virtual Summit of 2020, “You have an entire community lined up in support of a particular standard and to deliver open-source codes and technologies.”
Open security will lead to more secure code since contributors can review the base, make improvements and share that technology to identify and mediate challenges.
Building Trust and Security with Open Source
Vendors have not always been forthright about how platforms were built, what security measures were in place, or how user data was used. Both consumers and businesses have grown wary of undisclosed data collection and security weaknesses, and vendors are being pressured to change how they operate. In response to this, the next big change to come will include hyper-transparency.
An open-source framework will demonstrate the focus on a proactive approach in sharing security measures on the vendor’s part, while also allowing for constructive criticism to make improvements, and enabling auditing of the software from a third party.
Security of Open Source Needs a Policy
Open source is an attractive target due to its pervasive nature, causing cybercriminals to attack and requiring a solution. Recent incidents such as the Log4j vulnerability represent criminal and state-sponsored open-source code patterns. Potentially thousands of targets could be compromised as these tools can be used as a route into the open-source ecosystem.
President Biden’s Executive Order 14028 was limited concerning cybersecurity of the federal government and did not completely address risks associated with open-source. Current efforts to secure the open-source software supply chain are ultimately insufficient. Ultimately, more initiatives must be made starting with Congress, then the Department of Homeland Security, and finally the federal government on a holistic scale. Three ways to develop better policies for open-source security include:
- Funding is the first necessity. After the discovery of the Heartbleed vulnerability in a cryptographic web library, the private sector began to fund open-source security efforts. The investment has grown slowly. However, outside of targeted bug bounty programs, the government’s investment has failed to match up, and funding to secure open-source projects is insufficient. Congress should pass the Critical Technology Security Centers, legislation that proposes a center for open-source software security, among others, that would allow the Cybersecurity and Infrastructure Security Agency (CISA) to prioritize investments by the Department of Homeland Security into the most impactful open-source projects, tools, and potential targets.
- Next, CISA should lead federal prioritization of vulnerability mitigation and patch enforcement efforts, for both vulnerabilities in the open-source supply chain and for the infrastructure that coordinates and supports the open-source ecosystem. CISA should lead a coordinated federal-private sector effort to identify these critical nodes in the open-source ecosystem and funnel funding and tooling toward securing them.
- Lastly, the ongoing Federal Acquisition Regulations (FARS) reform effort combined with CISA and Office of Management and Budget binding operational directives can make the federal government a leading motivator for these hubs to provide better security tools to their users and stronger enforcement of good security practices.
As businesses move forward, it is imperative that systems, infrastructure, and tools are reliable. To achieve this, vendors must be more transparent and the government must ensure these security measures are enforced, as customers continue to focus on security, privacy, and trust for their tech investments. We are now relying more than ever on tech at the individual, team, and organizational levels. For companies looking to adopt transparent practices and prove their claims, open source provides the best approach for users to have the most in-depth comprehension of their technology platforms.
Must Read Blog Posts
- Demystifying Phishing Attacks: How to Protect Yourself Now
- What You Need to Know to Shield Your Business from Ransomware
- Shortcomings of Endpoint Security in Securing Business Email
- Microsoft 365 Email Security Limitations You Should Know
- Complete Guide to Email Viruses & Best Practices to Avoid Infections
Latest Blog Articles
- Thinking Strategically about Email Security in 2021 and Beyond
- Open Source: A Powerful, Yet Underutilized Weapon against Phishing & Zero-Day Attacks
- Buyer's Guide: What to Prioritize in an Email Security Solution
- Buyer's Guide to Microsoft 365 & Workspace Email Security
- EnGarde Cloud Email Security: The Logical Solution to Cyber Risk in Microsoft 365
- Exchange Servers Are Vulnerable - Learn How To Secure Your Email Server Now
- Top Email Security Risks in 2021 - How To Set Your Business Up for Safety & Success
- Ransomware By The Numbers: How Big Is My Risk?
- SMB Ransomware Warnings & How To Prevent an Attack
- Apache SpamAssassin 3.4.6 Release Fixes Two Potentially Aggravating Bugs