The views expressed by contributors are their own and not the view of The Hill

Pentagon’s move toward open source software isn’t going to enhance security

by Guy Podjarny, opinion contributor - 11/26/17 3:40 PM ET

The expected 2018 Pentagon and Department of Defense (DoD) budget includes a new pilot program which requires at least 20 percent of custom developed code to be released as open source software (OSS). The OSS program holds many advantages, notably reducing costs and increasing code reuse, but one of its claimed benefits — improving security — is not quite as simple as it seems.

The perception that open source software is more secure than its closed source cousin is best explained with Linus’s Law. The law, named after the creator of the open source Linux operating system, states that “given enough eyeballs, all bugs are shallow.” Since the code of open source software is publicly available, the entire community can inspect it, uncovering all flaws and security holes. This statement may have been correct when it was coined in 1999, when OSS was still in its infancy, but it was rendered invalid as the usage of open source skyrocketed.

The volume of OSS usage today is mind boggling. GitHub, the platform hosting most OSS projects, hosts roughly 70 million open source projects. There are nearly 600,000 open source components on the repository, which are downloaded a combined 14 billion times a month. And these numbers are growing by double digit percentages each year, a pace the community can barely keep up with, let alone allow the community to tightly scrutinize each project.

{mosads}Even the most popular open source projects, which get a disproportionate amount of usage and attention, can have severe security flaws. Shellshock, a severe vulnerability in the popular open source bash utility, existed in the project since 1989, but was only disclosed in 2014. Heartbleed, a flaw in a popular encryption library which exposed the secrets of roughly 25 percent of “https” (supposedly secure) websites, existed for two years before being discovered. And the latest Equifax breach was caused by a vulnerability in a popular open source Apache Struts library, which took four years to unveil.

It’s important to clarify open source is also not less secure than commercial software. Vulnerabilities are frequently discovered in commercial, closed-source software, and attackers reverse engineer it regularly. However, relying on the open source community to unveil vulnerabilities is not a path to a secure future.

If the Pentagon embraces open source, which is a great move forward for transparency and community contribution, it must keep its (presumably) current security scrutiny, including any security tools, penetration testing cadence and security design reviews. In addition, its open source repositories should include clear guidance to those who wish to report a discovered vulnerability, and have an expedient process to handle such requests. Combined, these two paths can indeed lead to a more robust application.

We must also remember that there is more to keeping our data safe than the security of its code. A security company named UpGuard recently discovered a large repository of social media information, collected and stored by the Pentagon for nearly a decade. It appears the data was all public information, making the leak a bit less severe. The researchers go on to speculate it was used to spot suspected radicals, and perhaps perform social engineering — not unlike the alleged Russian interference in the last U.S. election.

The data was stored in several cloud-based storage servers, but the contractor who set it up failed to properly setup access controls. As a result, anyone who properly guessed the file location could download it — as UpGuard did. This type of failing has nothing to do with whether the source code is open or closed. Operating software securely requires its own investment, and the DoD would need to keep improving this practice to prevent future data leaks — regardless of whether the code is public or private.

I applaud the Pentagon for embracing open source. I am a firm believer that transparency makes organizations better, and for a security-conscious entity like the DoD to embrace it is laudable. However, embracing open source will not improve — nor worsen — the Pentagon’s security posture. It must adapt, but not reduce, its defenses to this new situation, to help keep the nation’s data safe and secure.