Open source may be the most viable option for most companies today but it comes with its own set of problems too.
Many people support the use of open source software (OSS). After all, why would we keep trying to build code that addresses issues that have already been resolved by others? Why not share the information and progressively and iteratively enhance the current open source solutions? These egalitarian values, however perhaps fundamental to civilization in general, not to mention software, nonetheless include conflicts that have been a problem for millennia.
The problem with open source software security is that just because anyone can view the source code doesn’t imply they will. There are extensively used open-source projects that are only being maintained by a limited number of engineers. These engineers are unable to provide their time and effort completely voluntarily since they also need to pay their bills.
Even for more complex open source projects, this can be a problem. As an illustration, the Linux kernel project consists of more than 30 million lines of code, contains hundreds of flaws that need to be resolved, and has close to 2000 active developers. Each active developer has written more than 15,000 lines of code.
According to a recent research from the Linux Foundation, an application has an average of 5.1 significant vulnerabilities that are still open, and 41% of enterprises lack confidence in the security of their open source software. And to make matters worse, only 49% of businesses have an open source security policy.
Even if open source software has a security flaw, that does not guarantee that it will be fixed. The survey revealed that it presently takes 97.8 days on average to repair a vulnerability, leaving businesses using that software vulnerable to assaults for several months. This is the sometimes overlooked aspect of open source software security: just as the good men can look for faults and vulnerabilities in the code to repair them, the bad guys can look for the same bugs to exploit them.
It is a long shot to rely solely on a volunteer community to find vulnerabilities, report them, and fix them. While you continue to benefit from open source’s broader advantages, paying someone to examine the security of your open source solutions can help close this gap.
Since OSS updates and patches must be implemented to secure systems, this requirement can bring unique difficulties. Updating your mission-critical software could result in functionality loss and/or unplanned downtime if your solution depends on a certain software version. When a situation is business-critical, it may be more elegant to hire a specialist to backport the patch and maintain a version for longer than the larger community is willing to.
The open source community frequently uses the phrase “It’s open source, go change it!” and it emphasises a crucial point: It is unreasonable and unsustainable to expect good security levels for nothing while others invest their time, effort, or money in the project.
Either contribute to open source as it was intended, improve the code and publish it for others, or hire professionals to manage the OSS code and debug it as necessary are options. However, the industry cannot afford to contribute nothing at all.