Open-Source Security in 2020: Myths and Facts -- Security Today

Open-Source Security in 2020: Myths and Facts

Open-source software isn’t a completely chaotic and breached wasteland of vulnerabilities. It’s a global effort to make the development lifecycle faster.

By Gilad David Maayan
Feb 10, 2020

Open-source components are publicly-made codebases. Some are created and maintained by experienced developers and companies, while others are created by beginners. Open-source components are often used in enterprise software, for the purpose of reducing development time. However, the security aspect of these components isn’t always clear.

In this article, you’ll learn what software security is, including key aspects that can impact security. You’ll also learn four open source security myths and facts.

What is Open-Source Software?

Open-source software is software with publicly accessible code. It is generally freely available for use and developed and maintained through community collaboration. The most commonly known example of open-source software is Linux, but many applications and systems use open-source components.

The difference between open-source software and proprietary software is reflected in its licensing, liability, and cost.

Licensing—There are over 1,400 open-source licenses that software can fall under with a variety of stipulations restricting or permitting use. Many of these licenses specify that software can only be included in other open-source or non-profit projects.
Liability—Open-source software is used at your own risk. Creators and maintainers are not liable for misconfigurations and are not held to service level agreements. Likewise, support can be dropped at any time.
Cost—Open-source software is typically free to use, provided you do not need support or additional features. However, these cost savings are partially offset by the time and effort it takes to maintain open-source components.

Open-Source Security Myths and Facts

Securely and effectively implementing open-source software requires differentiating between some common myths and facts.

Myth: Open-Source is Not Secure

Although it is now less of a concern for many developers and development teams, many non-technical staff still worry about using open-source. The primary concern is that a lack of official management in open-source leads to security issues. Another concern is based on the idea that developers might intentionally include vulnerabilities to be exploited later.

Fact: The security of open-source depends on how it is used and managed. It is not inherently less secure than proprietary software.

Frequently, those worried about open-source security simply do not have the tools to properly detect vulnerabilities. Instead, they are left with poorly managed code reviews to ensure security. Others are concerned that the lack of official support creates too great of a security burden for organizations.

One valid concern about open-source security is the public nature of vulnerabilities. When vulnerabilities are discovered in open-source software, these flaws are made public and can be easily exploited by hackers. However, this risk can be negated with monitoring tools that alert you when vulnerabilities or patches are made public.

Myth: Community Oversight is a Double-Edged Sword

The community nature of open-source software creates opportunities for hackers to slip in malicious code that can be exploited at will. Since many open-source components are widely used, many attack opportunities can be created by a single malicious vulnerability. Additionally, since vulnerabilities are made public, you have no way of protecting yourself against hackers.

Fact: Open-source contributions are reviewed by project maintainers and community members before inclusion. Vulnerabilities are made public to both you and hackers.

It is unlikely that open-source would intentionally include vulnerabilities. For malicious code to be included, the community and maintainer would have to be part of the plot to include it. Additionally, while the public nature of vulnerabilities does put you and hackers on even ground it doesn’t necessarily increase your risk. Vulnerabilities are typically made public after a patch has been developed. You can secure your systems when or sometimes before the vulnerability is announced.

Myth: Externally Written Code is Riskier

Externally written code isn’t subject to the same standards and policies that internally written code is. Since it is written by multiple, unmanaged parties, code is likely to be sloppy and poor quality in comparison.

Fact: There is no universal standard that developers follow and the quality of a product will vary no matter who makes it.

If there are certain standards you want to require for your software, you can employ these standards when choosing which open-source components to include. Some projects are haphazardly written and maintained by amateurs. However, some projects are developed and maintained by developers that might have more experience than your own, including software by Linux or Kubernetes.

Since open-source projects are transparent, nothing is stopping you from verifying the quality and standards of a project. You also have the option of modifying an open-source project to meet your standards, effectively moving code from external to internal development.

Myth: Open-Source is Difficult to Manage

It is impossible to track open-source components once included in your software and systems. Maintenance is difficult and time-consuming, and you have no control over licensing.

Fact: Open-source components can be difficult to track and manage if you do it in a disordered way. This is true for any components you include.

If you set policies and guidelines for the inclusion of open-source from the start, management is relatively straightforward. You can create policies explicitly stating which licenses or types of open-source are acceptable to include. You can also specify what needs to happen when components are included. There is no reason why open-source policies should be treated any differently than any other standards you hold your teams to.

Taking advantage of software composition analysis tools can also make the process of tracking and maintaining components easier. These tools create an inventory of your open-source components, including versions and where components are used. SCA tools then monitor vulnerability data sources and alert you when vulnerabilities or patches are made public.

Open-source software isn’t a completely chaotic and breached wasteland of vulnerabilities. Rather, it’s a global effort to make the development lifecycle faster. That doesn’t mean you need to give up on security. You can use vulnerability scanners to keep track of your components and ensure your codebase is kept secure at all times. You can also shift security to the left, and introduce security tests throughout the entire development lifecycle.

Featured

Verizon’s 2025 Data Breach Investigations Report Notes Alarming Cyberattack Surge Through Third Parties

Verizon Business recently released its 2025 Data Breach Investigations Report (DBIR), which reveals a significant increase in cyberattacks. The report found that third-party involvement in breaches has doubled to 30%, and exploitation of vulnerabilities has surged by 34%, creating a concerning threat landscape for businesses globally. Read Now
- Cybersecurity
Net2 Access Control Increases Reliability at Residential Complex

Encore Atlantic Shores is a residential complex of 240 luxurious townhomes for ages 55 and over in Eastport, New York. Completed in 2011, the site boasts an 11,800 square foot clubhouse, with amenities such as a fitness center, heated indoor pool, whirlpool spa, multi-purpose ballroom, cardroom and clubroom with billiards, tennis courts and an outdoor putting green. Read Now
- Access Control
Security Today Announces The Govies Government Security Award Winners for 2025

Security Today is pleased to announce the 2025 winners in The Govies Government Security Awards. The awards honor outstanding government security products in a variety of categories. Read Now
- Government
Survey: 60 Percent of Organizations Using AI in IT Infrastructure

Netwrix, a cybersecurity provider focused on data and identity threats, today announced the release of its annual global 2025 Cybersecurity Trends Report based on a global survey of 2,150 IT and security professionals from 121 countries. It reveals that 60% of organizations are already using artificial intelligence (AI) in their IT infrastructure and 30% are considering implementing AI. Read Now
- Cybersecurity
New Research Reveals Global Video Surveillance Industry Perspectives on AI

Axis Communications, the global industry leader in video surveillance, has released its latest research report, ‘The State of AI in Video Surveillance,’ which explores global industry perspectives on the use of AI in the security industry and beyond. The report reveals current attitudes on AI technologies thanks to in-depth interviews with AI experts from Axis’ global network and a comprehensive survey of more than 5,800 respondents, including distributors, channel partners, and end customers across 68 countries. The resulting insights cover AI integration and the opportunities and challenges that exist with regard to security, safety, business intelligence, and operational efficiency. Read Now
- Artificial Intelligence

Security Today eNews

Sign up today for essential industry news and product information that can help you stay afloat in the fast-paced world of security.

Email Address*Country*

Please type the letters/numbers you see above.

Webinars

Whitepapers

New Products

Luma x20

Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”
ResponderLink

Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.
A8V MIND

Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.