Open-source software security

Last updated December 24, 2023

Open-source software security is the measure of assurance or guarantee in the freedom from danger and risk inherent to an open-source software system.

Implementation debate

Benefits

Proprietary software forces the user to accept the level of security that the software vendor is willing to deliver and to accept the rate that patches and updates are released.^[1]
It is assumed that any compiler that is used creates code that can be trusted, but it has been demonstrated by Ken Thompson that a compiler can be subverted using a compiler backdoor to create faulty executables that are unwittingly produced by a well-intentioned developer.^[2] With access to the source code for the compiler, the developer has at least the ability to discover if there is any mal-intention.
Kerckhoffs' principle is based on the idea that an enemy can steal a secure military system and not be able to compromise the information. His ideas were the basis for many modern security practices, and followed that security through obscurity is a bad practice.^[3]

Drawbacks

Simply making source code available does not guarantee review. An example of this occurring is when Marcus Ranum, an expert on security system design and implementation, released his first public firewall toolkit. At one time, there were over 2,000 sites using his toolkit, but only 10 people gave him any feedback or patches.^[4]
Having a large amount of eyes reviewing code can "lull a user into a false sense of security".^[5] Having many users look at source code does not guarantee that security flaws will be found and fixed.

Metrics and models

There are a variety of models and metrics to measure the security of a system. These are a few methods that can be used to measure the security of software systems.

Number of days between vulnerabilities

It is argued that a system is most vulnerable after a potential vulnerability is discovered, but before a patch is created. By measuring the number of days between the vulnerability and when the vulnerability is fixed, a basis can be determined on the security of the system. There are a few caveats to such an approach: not every vulnerability is equally bad, and fixing a lot of bugs quickly might not be better than only finding a few and taking a little bit longer to fix them, taking into account the operating system, or the effectiveness of the fix.^[2]

Poisson process

The Poisson process can be used to measure the rates at which different people find security flaws between open and closed source software. The process can be broken down by the number of volunteers N_v and paid reviewers N_p. The rates at which volunteers find a flaw is measured by λ_v and the rate that paid reviewers find a flaw is measured by λ_p. The expected time that a volunteer group is expected to find a flaw is 1/(N_v λ_v) and the expected time that a paid group is expected to find a flaw is 1/(N_p λ_p).^[2]

Morningstar model

By comparing a large variety of open source and closed source projects a star system could be used to analyze the security of the project similar to how Morningstar, Inc. rates mutual funds. With a large enough data set, statistics could be used to measure the overall effectiveness of one group over the other. An example of such as system is as follows:^[6]

1 Star: Many security vulnerabilities.
2 Stars: Reliability issues.
3 Stars: Follows best security practices.
4 Stars: Documented secure development process.
5 Stars: Passed independent security review.

Coverity scan

Coverity in collaboration with Stanford University has established a new baseline for open-source quality and security. The development is being completed through a contract with the Department of Homeland Security. They are utilizing innovations in automated defect detection to identify critical types of bugs found in software.^[7] The level of quality and security is measured in rungs. Rungs do not have a definitive meaning, and can change as Coverity releases new tools. Rungs are based on the progress of fixing issues found by the Coverity Analysis results and the degree of collaboration with Coverity.^[8] They start with Rung 0 and currently go up to Rung 2.

Rung 0

The project has been analyzed by Coverity's Scan infrastructure, but no representatives from the open-source software have come forward for the results.^[8]

Rung 1

At rung 1, there is collaboration between Coverity and the development team. The software is analyzed with a subset of the scanning features to prevent the development team from being overwhelmed.^[8]

Rung 2

There are 11 projects that have been analyzed and upgraded to the status of Rung 2 by reaching zero defects in the first year of the scan. These projects include: AMANDA, ntp, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and tcl.^[8]

Related Research Articles

A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behaviour will continue. Computer worms use recursive methods to copy themselves without host programs and distribute themselves based on exploiting the advantages of exponential growth, thus controlling and infecting more and more computers in a short time. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

A software bug is an error, flaw or fault in the design, development, or operation of computer software that causes it to produce an incorrect or unexpected result, or to behave in unintended ways. The process of finding and correcting bugs is termed "debugging" and often uses formal techniques or tools to pinpoint bugs. Since the 1950s, some computer systems have been designed to detect or auto-correct various software errors during operations.

A vulnerability scanner is a computer program designed to assess computers, networks or applications for known weaknesses. These scanners are used to discover the weaknesses of a given system. They are utilized in the identification and detection of vulnerabilities arising from mis-configurations or flawed programming within a network-based asset such as a firewall, router, web server, application server, etc. Modern vulnerability scanners allow for both authenticated and unauthenticated scans. Modern scanners are typically available as SaaS ; provided over the internet and delivered as a web application. The modern vulnerability scanner often has the ability to customize vulnerability reports as well as the installed software, open ports, certificates and other host information that can be queried as part of its workflow.

A patch is a set of changes to a computer program or its supporting data designed to update, fix, or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually being called bugfixes or bug fixes. Patches are often written to improve the functionality, usability, or performance of a program. The majority of patches are provided by software vendors for operating system and application updates.

In computer security, hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle a single-function system is more secure than a multipurpose one. Reducing available ways of attack typically includes changing default passwords, the removal of unnecessary software, unnecessary usernames or logins, and the disabling or removal of unnecessary services.

Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface. Constructs in programming languages that are difficult to use properly can also manifest large numbers of vulnerabilities.

A penetration test, colloquially known as a pentest or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. The test is performed to identify weaknesses, including the potential for unauthorized parties to gain access to the system's features and data, as well as strengths, enabling a full risk assessment to be completed.

In the context of software engineering, software quality refers to two related but distinct notions:

Application security includes all tasks that introduce a secure software development life cycle to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security issues within applications. It encompasses the whole application life cycle from requirements analysis, design, implementation, verification as well as maintenance.

Software assurance (SwA) is a critical process in software development that ensures the reliability, safety, and security of software products. It involves a variety of activities, including requirements analysis, design reviews, code inspections, testing, and formal verification. One crucial component of software assurance is secure coding practices, which follow industry-accepted standards and best practices, such as those outlined by the Software Engineering Institute (SEI) in their CERT Secure Coding Standards (SCS).

SAINT is computer software used for scanning computer networks for security vulnerabilities, and exploiting found vulnerabilities.

Symantec Endpoint Protection, developed by Broadcom Inc., is a security software suite that consists of anti-malware, intrusion prevention and firewall features for server and desktop computers. It has the largest market-share of any product for endpoint security.

Reverse engineering is a process or method through which one attempts to understand through deductive reasoning how a previously made device, process, system, or piece of software accomplishes a task with very little insight into exactly how it does so. Depending on the system under consideration and the technologies employed, the knowledge gained during reverse engineering can help with repurposing obsolete objects, doing security analysis, or learning how something works.

<span class="mw-page-title-main">CAST (company)</span>

CAST is a technology corporation headquartered in New York City and France, near Paris. It was founded in 1990 in Paris, France, by Vincent Delaroche.

A web application firewall (WAF) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. By inspecting HTTP traffic, it can prevent attacks exploiting a web application's known vulnerabilities, such as SQL injection, cross-site scripting (XSS), file inclusion, and improper system configuration. They also introduce a performance degradation and are easily bypassed by attackers so their deployment is not recommended.

<span class="mw-page-title-main">Shellshock (software bug)</span> Security bug in the Unix Bash shell discovered in 2014

Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests.

Spectre is one of the two original transient execution CPU vulnerabilities, which involve microarchitectural timing side-channel attacks. These affect modern microprocessors that perform branch prediction and other forms of speculation. On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers. For example, if the pattern of memory accesses performed by such speculative execution depends on private data, the resulting state of the data cache constitutes a side channel through which an attacker may be able to extract information about the private data using a timing attack.

Static application security testing (SAST) is used to secure software by reviewing the source code of the software to identify sources of vulnerabilities. Although the process of statically analyzing the source code has existed as long as computers have existed, the technique spread to security in the late 90s and the first public discussion of SQL injection in 1998 when Web applications integrated new technologies like JavaScript and Flash.

In computer science, a code property graph (CPG) is a computer program representation that captures syntactic structure, control flow, and data dependencies in a property graph. The concept was originally introduced to identify security vulnerabilities in C and C++ system code, but has since been employed to analyze web applications, cloud deployments, and smart contracts. Beyond vulnerability discovery, code property graphs find applications in code clone detection, attack-surface detection, exploit generation, measuring code testability, and backporting of security patches.

It is a common software engineering practice to develop software by using different components. Using software components segments the complexity of larger elements into smaller pieces of code and increases flexibility by enabling easier reuse of components to address new requirements. The practice has widely expanded since the late 1990s with the popularization of open-source software (OSS) to help speed up the software development process and reduce time to market.

References

↑ Cowan, C. (January 2003). Software Security for Open-Source Systems. IEEE Security & Privacy, 38–45. Retrieved 5 May 2008, from IEEE Computer Society Digital Library.
1 2 3 Witten, B., Landwehr, C., & Caloyannides, M. (2001, September/October). Does Open Source Improve System Security? IEEE Software, 57–61. Retrieved 5 May 2008, from Computer Database.
↑ Hoepman, J.-H., & Jacobs, B. (2007). Increased Security Through Open Source. Communications of the ACM , 50 (1), 79–83. Retrieved 5 May 2008, from ACM Digital Library.
↑ Lawton, G. (March 2002). Open Source Security: Opportunity or Oxymoron? Computer , 18–21. Retrieved 5 May 2008, from IEEE Computer Society Digital Library.
↑ Hansen, M., Köhntopp, K., & Pfitzmann, A. (2002). The Open Source approach – opportunities and limitations with respect to security and privacy. Computers & Security , 21 (5), 461–471. Retrieved 5 May 2008, from Computer Database.
↑ Peterson, G. (6 May 2008). Stalking the right software security metric. Retrieved 18 May 2008, from Raindrop.
↑ Coverity. (n.d.). Accelerating Open Source Quality Archived 5 March 2016 at the Wayback Machine . Retrieved 18 May 2008, from Scan.Coverity.com
1 2 3 4 Coverity. (n.d.). Scan Ladder FAQ Archived 6 March 2016 at the Wayback Machine . Retrieved 18 May 2008, from Scan.Coverity.com.

External links

Bruce Schneier: "Open Source and Security", Crypto-Gram Newsletter, 15 September 1999
Messmer, Ellen. (2013). "Security of open-source software again being scrutinized". Network World , 30(5), 12-12,14. (Article at CIO magazine )
Census Project / Core Infrastructure Initiative by Linux Foundation

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Cowan, C. (January 2003). Software Security for Open-Source Systems. IEEE Security & Privacy, 38–45. Retrieved 5 May 2008, from IEEE Computer Society Digital Library.

[Witten-2] 1 2 3 Witten, B., Landwehr, C., & Caloyannides, M. (2001, September/October). Does Open Source Improve System Security? IEEE Software, 57–61. Retrieved 5 May 2008, from Computer Database.

[3] Hoepman, J.-H., & Jacobs, B. (2007). Increased Security Through Open Source. Communications of the ACM , 50 (1), 79–83. Retrieved 5 May 2008, from ACM Digital Library.

[4] Lawton, G. (March 2002). Open Source Security: Opportunity or Oxymoron? Computer , 18–21. Retrieved 5 May 2008, from IEEE Computer Society Digital Library.

[5] Hansen, M., Köhntopp, K., & Pfitzmann, A. (2002). The Open Source approach – opportunities and limitations with respect to security and privacy. Computers & Security , 21 (5), 461–471. Retrieved 5 May 2008, from Computer Database.

[6] Peterson, G. (6 May 2008). Stalking the right software security metric. Retrieved 18 May 2008, from Raindrop.

[CoverityIndex-7] Coverity. (n.d.). Accelerating Open Source Quality Archived 5 March 2016 at the Wayback Machine . Retrieved 18 May 2008, from Scan.Coverity.com

[CoverityLadder-8] 1 2 3 4 Coverity. (n.d.). Scan Ladder FAQ Archived 6 March 2016 at the Wayback Machine . Retrieved 18 May 2008, from Scan.Coverity.com.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]