Myth versus fact: Open source projects and federal agencies

More federal agencies are shifting to open source which could be great or it could open the door to greater vulnerabilities

Many agencies in the federal government use approved public repositories for open source software development. According to the General Services Administration (GSA) GitHub dashboard, there are 236 federal organizations using a combined 5,254 project repositories.

More federal agencies are increasing their use and creation of open source software to achieve their IT objectives. In order to best prepare for the implementation of even more open source projects, federal agencies need to understand the facts among the many misconceptions and myths surrounding public repositories. 

What's mainly driving the increased use of open source in federal agencies is the reduced costs of a shared platform; however, Jay Jaiprakash, director of technology, Sapient Government Services said, "The shift to open source requires looking at several factors, such as culture, innovation, and architecture to be able to successfully employ the software."

Security practitioners in federal agencies shouldn't be bamboozled by the bandwagon effect of propaganda. Before making the jump simply because everyone else is doing it, it's important that they know their agency.

[ ALSO ON CSO: Your open source security problem is worse than you think ]

"Specific to culture and innovation, an agency must develop the right environment from how new ideas are rewarded to having the right policies. The governance and security teams should collaborate as the combined expertise benefits everyone from the latest ideas to the new enhancement," Jaiprakash said.

In addition to the cost benefit, Jaiprakash said, "Open source provides agencies the opportunity to seek the best solution as they are not tied down to a vendor, their products or upgrade paths."

Because the security ecosystem is forever changing, shared platforms allow for unforeseen circumstances, so Jaiprakash said, "As the agency evolves, this flexibility allows for switching out technologies that don’t work or moving towards a loosely coupled or decoupled architecture, enabling even more flexibility to take advantage of open source components."

According to 18F's "Facts about publishing open source code in government," written by Britta Gustafson and Will Slack, one myth about open source specific to federal agencies is that, "Public repositories are an emerging technology without widespread government use. The people using them are probably not paying full attention to compliance.”

Jaiprakash said, "Although the security risk profile for open source can be considered higher than with propriety software, open source actually includes more testing and reacts quicker with fixes due to the community participation and volume of users."

Another myth Gustafson and Slack challenged is the notion that, "Public repository hosting services are social networking tools with dubious collaboration features; using them would lead to our projects getting unreliable external code mixed into our official work.” 

The truth, said Gustafson and Slack, who referenced the specific policies of 18F as an example, is that federal agencies are actually able to fully control access and permission for their shared repositories.

Establishing controls and policies is critical for protecting these official repositories. said Jaiprakash. "Overall, federal agencies should use caution bringing in any open source software and have the right set of governance deployed as security is always a concern with any product," he continued.

[ RELATED: Open source security is not as big of a concern as it once was ]

Still many remain tentative about making a shift to open source. Mike Pittenger, vice president of security strategy at Black Duck, said, "It becomes a religious argument at some point. It's neither more or less secure."

Instead, what is most important about open source is the characteristics that make it attractive to an attacker. "It's used everywhere. If you're an attacker, you try to find the path of least resistance. The target has to be worthwhile, so you go after a target rich environment," Pittenger said.

Most of the risk from open source is when they don't manage it well. "They have no support model unless it's paid support. There is no [service-level agreement] that you would have with the vendor," Pittenger said.

Because most organizations really don't know what they are using in their open source projects, they have no controls. "If we purchase a license from a vendor, we have an SLA, they are required to push out a patch. Open source has the exact opposite," Pittenger said.

When an agency elects to use code from a public library, the onus of responsibility is then on them to monitor that code. "It's only risky if you aren't keeping track of what you are using," Pittenger said, "but if I didn't use open source, I'd have to write everything from scratch."

While many agencies are reliant upon open source, those who make the investment in tracking use are in the minority, said Chris Eng, vice president of research at Veracode

"Most people are using open source somewhere. Nobody is writing a completely new piece of software from scratch. They are always using libraries, or sometimes it's a mix of commercial and open source," said Eng. 

The risk is that most of those people have little visibility into exactly what they are using. "Developers use a library for this and a library for that. No one is keeping track of what all those things are, which makes it tougher to track, especially when a Heartbleed comes out," said Eng.

When security practitioners or even developers don't know whether what they are building has a particular component, they can't properly monitor. This lack of visibility of what is going into the software is the security risk for both commercial and open source, said Eng.

"Large development teams don’t want to reinvent the wheel, so they grab from a library to do that. If I want to add a feature that will upload profile photos, I'm not going to write new code that will let me, I’m going to use an image processing library to do that," Eng explained.

The problem is that there is no centralized place where people keep track of all the different versions of the library. "Once it's working, they don’t go back and keep those up to date. When a vulnerability is found, they update with new versions. Your product becomes more and more vulnerable because it's inheriting all those vulnerabilities," Eng said.

Not keeping track of what they are using or keeping their products up to date is more a function of the lack of a centralized process rather than a technical challenge.

Eng said, "Adding open source doesn’t make this problem any better or worse. There is an old myth that because open source projects are freely available and anybody can look at the source code that so many eyes means bugs will get patched."

This myth has shown time and time again not to be true. "Even a lot of eyes are not necessarily equipped to find security issues. I would caution anybody looking to go more toward open source because they think it’s more secure because it is not," Eng said.

It's important to know who is backing it, how many developers are behind it, and how widespread is its use. "Understand what is going into your software. Keep track of what vulnerabilities are being discovered. There are a lot of known vulnerabilities out there," Eng said. 

Join the CSO newsletter!

Error: Please check your email address.

More about CSOGeneral Services AdministrationSapient

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kacy Zurkus

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place