The Complete Magazine on Open Source

Stop cursing open source software for poor security practices

1.28K 0

open source software security practices

In today’s digital era, hardly a day passes by without any news where a security breach has compromised a business or an organisation. And who’s at fault? There is Microsoft, whose ubiquitous Windows operating systems were compromised after attackers exploited a security hole. Then there is the US government whose Windows hacking tools got into the hands of cybercriminals after leaking to the Internet. Recently, “Equifax”, one of the largest American credit agencies, was hit by a cyber-attack that may have compromised the personal data of around 143 million people. The leaked data included name, address, social security numbers, birth dates and so more. In fact, the cyberattack is now considered to be one of the largest and most intrusive breaches in the US history.

Despite the known threats, many organisations continue to point fingers at open source platforms for poor security practices. But do you really think these platforms are the ones that need to be blamed? Coming back to the Equifax example, soon after this, the company began to examine how the breach occurred, many unsubstantiated reports and theories surfaced in an attempt to pinpoint the vulnerability. One such theory included was the software (an open source framework) to be responsible for the breach. This gave rise to some of the most unwarranted open source shaming.

Soon after the truth was revealed, the company was hacked because it was running an old, insecure version of software — no matter an open source or a proprietary solution. Therefore, it is Equifax that is to blame, not open source.

Importance of keeping software updated

The above incident can be considered as a good reminder to keep our software up-to-date. The good news is that in today’s world, the software would update itself the moment a security patch is released. For instance, WordPress offers automatic updates in an effort to promote better security and to streamline the update experience overall. In the absence of automatic updates, it is always advisable to seek help from a reputable and reliable open source development company that carries out their best effort and expertise in monitoring and securing your site for intrusion attempts.

Security as a practice in and of itself

Now, do you know that two-thirds of problems in software are because somebody did something wrong? Studies reveal that the causes of approximately 67 percent of software security weaknesses and potential vulnerabilities are functional issues. Down below I would like to mention a few steps that must be taken by a software developer to improve security through quality.

Enforce the use of consistent coding standards: The coding style guide requires to be language specific. From file-naming conventions to the representation of non-ASCII characters and the use of wildcard imports, it must cover it all! Also, don’t add rules that don’t improve consistency, reliability, maintenance or security.

Use automated testing tool: The following pointer emphasises on code checking in the integrated development environment with analysis tools like FxCop, Checkstyle and JUnit.

Test for things you don’t want: This includes both positive and negative testing. In a layman’s language, testing must include tests for mistakes by users such as typing a “q” instead of “1” for a phone number as well as when things go wrong such as when a file cannot be opened.

Build and share libraries for validating user input: Common tasks such as write, maintain and shared libraries can be done quite easily.

Take advantage of code reviews: Did you know that peer reviews can catch more than half of all defects? Yes, they help enforce the use of consistent coding standards and are often used as a learning and training tool.

Don’t forget to add security-related requirements: Classify security requirements, such as input validation and functional requirements instead of non-functional requirements. Include white lists (what is allowed) instead of blacklists (what is not allowed). Don’t trust anyone or anything until it is verified, and use an approved encryption for data-at-rest and data-in-transit.

Final thoughts

In today’s world, the desire for great mobility and vibrant partner ecosystem has led to high level of threat. Due to this intrinsic demand, one must adopt equally disruptive solutions to protecting your networks, data and applications. You can never take a one-and-done approach to security. It has to be ongoing in terms of updating, auditing and evolving the underlying processes and technologies.

So that’s all for now, keep watching the space for more information and updates regarding the same.