To some, the terms ‘open source’ and ‘security’ may not exactly go hand in hand. Characterized by its transparent code—which means it’s highly accessible to anyone— as opposed to ‘closed’, proprietary systems, it’s no wonder that some still have the misperception that open source is the more vulnerable party. In an open source environment, companies as well as communities of sorts are able to access and contribute to the code. This often gives off the impression that because it is open, it must be fully exposed to risks and viruses.
But today, open source is pervasive. The world as we know it is changing — technology is evolving faster today than it has at any other point in human history. And open source is the reason for that; it is the driving force behind many of today’s technology innovation that we see. Today’s enterprises simply cannot rely on a proprietary piece of source code to manage their increasing multitude of applications that are powering their critical business transactions.
And with the rising adoption of this software, there has never been a better time to learn the truth about misconceptions of open source security.
Time to adopt another mind-set towards open source
The advantage of having hundreds or even thousands of people looking at the software at once is that there is a bigger opportunity for vulnerabilities to be detected much quicker. Once a virus is detected, it will be made public immediately, which gives users the opportunity to fix it within hours, if not minutes. Transparency becomes the strength as it allows errors and faults to be spotted easily, making it harder to hide anything malicious.
In contrast, it is more difficult to detect and trace vulnerabilities in proprietary software as there can be security leaks that nobody knows about, until it reaches a critical level. Having a community of developers, engineers and cyber security professionals participating and contributing to an open source software actually lets it operate better, making it an instrumental tool in the development of mobile applications, browsers and servers.
There is also a governance process around updates and patches, so that if cyber attackers try to hide malicious code, the controllers will be able to identify and prevent it from being deployed, as well as trace the source of the code. The open development model allows entire industries to agree on standards and encourage their brightest developers to continually test and improve technology. If anything, transparency shouldn’t be seen as a weakness, but a driving force that counters threats.
How companies today can safeguard their data
The greatest threat actually doesn’t come from attackers, but from within an organization itself. This isn’t restricted to poor maintenance, but the inability to patch in time and in an efficient manner.
Envision your organization’s security to be that of a home, whereby you can install the safest locks but a careless window left open can leave a loophole of opportunities for intruders. We have seen this occur in fast-growing companies that are expanding rapidly with the latest IT systems and infrastructure. As complexity grows along with the adoption of IT systems, it gets difficult to manually patch and update each individual machine consistently.
It is important to implement a standardized security-first environment with automation in mind. Companies should keep security as one of their top priorities when designing their software architecture or back-end infrastructure. They should also be aware of current DDOS threats, planning ahead for data encryption, and ensure that all systems are managed and patched regularly.
There are also tools that provide system management across various infrastructures both on premise and in the cloud. These instruments can not only help the community of developers, engineers and cyber security professionals monitor, manage and patch across all organization devices, but ensure consistent roll-out and coverage of patches to prevent vulnerabilities being exploited. It is also important to have a plan for lifecycle management of apps and systems which are becoming outdated or obsolete. Open source systems can also offer visualization with built-in basic security measures to limit attacks.
Companies need to ensure security throughout their infrastructure. A recommended three-pronged approach consists of ensuring each device and software is sufficiently protected (and patched); securing communicative devices to protect and encrypt data in between gadgets and systems, ensuring data is stored or encrypted whether for use or for storage – this singular approach provides security at multiple layers and levels. Cyberattacks succeed on systems with vulnerabilities to exploit; by proactively managing these systems and securing them to industry best-practices, companies can negate the threat of cyberattacks.
Security is a constant battle and companies cannot be complacent with out-of-the-box solutions or wait for vendors of the proprietary software to update them. Fundamentally, all software have bugs and some bugs may introduce a security vulnerability. If you’re a product vendor, you need a security response team to handle tracking and fixing those security flaws. Organizations alike can also search for partners and infrastructure providers with strong technical capabilities to bolster their own defences.
Company culture as the backbone of cybercrime prevention
This may come as a surprise, but the secret ingredient in combating cyber-attacks is not merely by installing the latest software updates or having the most advanced tool in place. Security is more than a suite of products—it is not something that can simply be bought.
It's about process, and culture. It's about having a mind-set that places a priority around consuming inherently secure technologies throughout the stack, especially as they roll out mission-critical applications at scale in the cloud.
Culture plays a huge role in security as well; it’s a truism that ‘people’ are the weakest point of security in an organisation. Trojans, phishing emails and social engineering will continue to be the bane of organisations, especially as hackers become more practiced at social engineering.
The best way to protect the organisation is to reinforce the culture and raise awareness; combining better user education with tools and processes can help manage risk from all directions. In today’s digital era, no one can solve IT security issues alone. Connecting with communities and solving problems together is the new future of technology.
Damien Wong is Vice President & General Manager, ASEAN at Red Hat