Why security of open source is still a talking point

Why security of open source is still a talking point

When it comes to open source, it would appear security is both a benefit and a barrier to adoption. Here, Mike Bursell, chief security architect at Red Hat unpicks these polarising opinions.

In a recent survey of open source software by enterprises, 29% of those polled identified “better security” as a key benefit for choosing open source. This came in third, behind only “lower total cost of ownership” (30% of respondents) and “higher quality software” (33%).

Move along, nothing to see here, then: we knew that open source software had already won the hearts and minds of the enterprise, and given the importance of security to businesses and organisations across geographies and market sectors, this should come as no surprise at all.

Just to be clear: this is not 29% of respondents saying that they think that the security of open source software is better than that for proprietary software, but 29% saying that the better quality is a key benefit to open source.

What is a surprise, however, is what enterprise respondents chose as their “top barrier” to using enterprise open source: security. Yes, you read that right: security is both one of the top benefits to choosing open source and one of the top barriers to entry for enterprises (38% of respondents).

Does this mean that enterprises think that open source security is inadequate? It seems not: the answer to the question about benefit clearly points in the other direction. It appears that the underlying reason is more nuanced than this, and that is good news for enterprise open source.

We know that there is ongoing concern within enterprises about business risk, and how security can help mitigate it. Boards and their members – CISOs, CFOs and the rest – are becoming more aware of the need to assess the risk associated with their supply chain, and this is particularly relevant to software.

When you have an “old-style”, proprietary vendor of software, it’s easy to point at what looks like a single entity, and say “well, we’re happy that they have a good reputation in the market, and as long as we ask them some questions about the development practices they follow, we can be sure that the risk is low.”

This is a false view of the world: it seems to assume that vendors of proprietary software are self-contained, and have no further dependencies, which is unlikely to be the case, whether due to platform, toolchain or even open source dependencies that are not visible to the final consumer of the software.

This does not even consider, of course, the question of the quality of the implementation itself – an area where it is clear (from the answer at the start of this piece) that open source is considered superior.

What may be the problem is that those who are looking at the risks associated with software supply chains see the ability of anybody to contribute to open source software, and assume that it is this “raw product” that is being consumed by their enterprise. When organisations decide to take open source projects and use them directly from source this may be a valid concern.

There is a place for this approach, and for businesses with sufficient resources and expertise in-house to manage and support such a model, there are opportunities to be directly involved in the community, which can provide significant benefit. The risks, of course, need to be carefully considered, and managed internally as part of the decision to embrace this practice.

We are, however, explicitly looking at discussing enterprise open source software, where what is being consumed is not open source directly from project repositories on the Internet.

The survey addressed specifically “enterprise open source”, which is still open source, but which has the added benefits that you would expect from any enterprise software.

These benefits include support and service level agreements; documentation; a predictable – and long – lifecycle; and other enterprise features (such as integration with other products, high availability or resilience options). The vendor may also have certified the product against specific standards, may provide training and integration services and other benefits.

In short, when you decide to consume enterprise open source, you are consuming a product, and not a project.

None of the benefits above are specifically related to security – though they all help reduce the risk to an organisation of adopting an open source project. The key security-specific benefit to enterprise open source software is that the vendor providing and supporting the product is standing behind its quality and security.

The vendor is providing a product to operate in an enterprise environment, and it is in both the vendor’s and the customer’s best interest that it should do so in as secure and resilient a manner as possible.

The vendor can be expected to provide and support patches for important security issues in a timely manner, and, unlike a vendor of proprietary software, can leverage the rest of the community to improve and address security issues in the product.

We should not fall into the trap of thinking that open source software is automatically more secure than proprietary software either, as the expertise to address security is not common.

But the involvement of enterprise software vendors in open source projects means that they and the rest of the community both benefit from a much wider pool of security talent than proprietary vendors can manage on their own.

This is why enterprise open source software security was rightly identified by respondents as a key benefit. It may take a while for business leaders to realise it, but enterprise open source is a great way of addressing the risks that affect them, and security should not be a barrier but a key driver for enterprise software adoption.