So far in our series, we’ve looked at the different open source vulnerability databases to detect your security vulnerabilities, and the effective open source vulnerability management steps when you find out one of your components is affected. However, what if there were fewer vulnerabilities in the first place?
After all, we’ve all been there. You’re looking for an open source component online that can perform a certain function. You’re able to find several libraries that do the trick, but how do you know their quality and if they have any vulnerabilities?
You could look into the number of commits, contributors, and the number of bugs reported and fixed etc, but that’s about it. Wouldn’t it be great if there was a benchmark for open source projects’ maintenance and security? Creating maintenance and security standards, and scoring projects compared to these standards could be just the answer that helps developers better understand the quality of the components they are adding to their software.
In this week’s post, we’re going to be looking further into why open source projects and their users need such standards, and what tech giants and the community at large can and are doing to ensure open source security is given the focus and resources it deserves.
The Open Source Wild West
As it stands, the open source community is a bit like the wild west. Every project manager can set up their own rules, such as the number of allowed contributors, the peer review process before commit, commits frequency, security practices and so on. Therefore, everyone is doing what they think is best for their project. This lack of open source security and maintenance standards has a negative effect both on the level of security of the projects themselves, and their users.
Firstly, due to the lack of objective standards, open source project managers have no standardized way to know if their maintenance and security processes are below par, and subsequently, if they need to be improved.
In regards to open source users, they’re unable to ascertain if the components they’re integrating within their products are from well-maintained projects. Ultimately this lack of open source security standards often means projects, and their users, are affected by avoidable security vulnerabilities. We just have to look at Heartbleed to understand the impact this lack of standards can have on the community.
The bug was contained within 10 lines of OpenSSL’s source code, and would have been discovered by any security audit. However, as there were no security standards in place, it took over 2 years to be detected, resulting in unnecessary security risks for countless users. Consequently, it became clear to many that open source security software standards needed to improve.
The CII (Core Infrastructure Initiative)
In the wake of Heartbleed, Jim Zemlin (Executive Director of the Linux Foundation) had an idea. What if there was an initiative to ensure leading open source projects were better maintained, by providing the resources needed to improve their security processes and standards? So, after much persuasion, he managed to get such tech giants as Google, Microsoft and Facebook to sign on (and donate) to his idea. And so the CII was born.
However, the CII soon realized that in order to improve open source security, the entire open source ecosystem first needed to be educated about more secure coding and usage. And this is where the CII’s ‘Best Practice Badge’ comes in.
The badge is all about an open source project demonstrating its commitment open source security. Would-be badge holders have to fill out a questionnaire demonstrating their open source security prowess. Upon successful completion of the questionnaire, the respective project is issued a badge to present to would-be contributors/consumers.
However, the CII isn’t the only initiative out there supported by industry heavy-hitters who aim to improve open source security software standards.
Mozilla Open Source Support (MOSS)
Mozilla isn’t backward in coming forwards about its reliance on the open source community. In fact, after Heartbleed it too put its hands in its pocket and offered $1 million to support the community on which it relies via its MOSS program.
More specifically in regards to security, the program has a Secure Open Source track to support security audits and works needed to remediate security issues.
OWASP Global Projects
Finally, we have OWASP Global Projects. Unlike the above two initiatives, OWASP doesn’t offer any funding for open source projects to improve their open source security software. Rather, the community can choose to either donate to any of a long list of running projects, or even set up their own.
The reason why I’m a big fan of OWASP projects is that they’re a great way for open source contributors to test and improve the security of their project, with the professional help offered by the OWASP project leader, as well as the OWASP community.
More is Needed
However, for open source security standards to truly advance, I believe that we need a more rigorous, uniform and compulsory way to judge an open source project’s level of security. But, due to the very nature of the open source bazaar, this may be difficult (or virtually impossible) to enforce.
Yet, whatever the answer, the entire open source community, rather than just a handful of initiatives, need to play their part in raising the caliber of open source security and maintenance.
A Not So Wild West?
As we discussed in the beginning of this post, when it comes to open source projects security standards, open source is a bit of a jungle right now. Yet things are getting better.
With the help of such initiatives as CII, MOSS and OWASP, the open source community is continuing its sterling work of vulnerability detection and remediation, and security standards are being raised.
Additionally, commercial organizations are finally investing more time and resources into improving their open source security. So, who knows. One-day an ‘Open Source Sheriff’ may come to town to bring a little more order to the open source security wild west.
If you have any suggestions/ideas as to what this ‘Open Source Security Sheriff’ would look like, I’d love to hear them!