Developer Tools & Open Source

Open Source: Good or Bad for Cloud Security?

By Special Guest
Stephane Ibos, Co-founder and CEO at Maestrano
  |  March 08, 2016

One fundamental difference between open source technologies and those based on standards or proprietary vendor code is that the latter two are available only to a chosen few: people with highly specialized skills who work for certain companies in certain industries. By comparison, open source software is out there for everyone to see and tinker with – including hackers.

Does that visibility make open source inherently less secure? Or are standards-based and proprietary software naïvely relying on security by obscurity? They’re questions worth pondering by cloud providers and their customers as open source becomes more common in IaaS, PaaS and other hosted services.

In many respects, open source offers greater security:

Community support. With open source, cloud providers and their customers don’t have to rely on a single vendor or a single standards body to identify emerging threats and issue the necessary patches. Hundreds or thousands of developers and other experts are constantly scrutinizing each piece of open source software. That community is better equipped to find and fix risks in a timely manner, before hackers can exploit them.

No vendor lock-in. When a vendor is acquired, sometimes budgets are cut for certain products. That means fewer resources to maintain the security of those products. Vendors also frequently offer end-of-life products that their customers rely on, forcing them to buy expensive custom support agreements to ensure their security. Open source avoids all of those problems because support isn’t riding on a single vendor.

Greater transparency. A vendor has total control over its software, including the ability to embed spyware and back doors. Even if the vendor is ethical, a rogue employee still could add those vulnerabilities without its knowledge. A vendor also could add them under government pressure, such as to facilitate anti-terrorism efforts. Regardless of whether back doors, spyware and similar features are added for good or bad reasons, they’re still vulnerabilities waiting to be exploited – and someone eventually will. With open source, it’s very difficult to sneak such features past an entire community of eyeballs.

Rapid response. A vendor or standards body often takes weeks or months to develop a patch, test it and then issue it. That’s a big window of opportunity for hackers. The open source community often can respond in a fraction of that time.

Many open source initiatives also have increased their focus on security. One example is OpenStack, which says "security is a fundamental goal of the OpenStack architecture and needs to be addressed at all layers of the stack."

Open source has a few caveats that affect security. For example, projects sometimes are suddenly abandoned as the community shifts its attention to the latest hot innovation. As that community empties out, there are fewer eyeballs left to look for vulnerabilities in that particular set of code.

For smaller enterprises and other organizations, open source may be challenging because they lack the IT resources necessary to keep up with the community’s security work. That undermines their ability to implement patches and upgrades as soon as they’re available.

However, that’s not the same as advising smaller organizations to avoid open source across the board. They still can benefit from its rapid innovation by reserving their use of open source to hosted services, whose providers are large enough to participate in open source projects and quickly implement security upgrades.

A cloud solution’s security also depends on best practices such as access control, authentication and protecting the underlying infrastructure. That applies to open source, standards-based and proprietary solutions. Following those best practices adds more layers of safeguards to open source’s inherent security.

Stephane Ibos, Co-founder and CEO at Maestrano

Edited by Maurice Nagle