New Open Source Enterprise Security Study

A study by The Linux Foundation in collaboration with open source security security firm Snyk made headlines in some related and not-so-related media, to say the least, regarding the development model and its impact not only on software security, but in perception and interpretation.

As with all of these studies, the information included here is based on a series of interviews with industry professionals, specifically 550 developers from companies of various sizes, who were asked about the security policies they have implemented in their companies. about the open source software they use? What is your perception on this issue?

Everything is a little more complicated than it seems at first glance: less than half (49%) of the participants work in companies that do not have security policies for the development of open source software and in most of them (30%), there is not even a person responsible for this area. But isn’t open source so secure? What to worry about?

The perception factor has always been very relevant in the field of open source due to the inherent characteristics of the model known as “Linus’ law”, interpreted by the founder of the Open Source Initiative (OSI) and author of the classic book “The Cathedral and the Bazaar, Eric S. Raymond: with enough the amount of eye bugs come to the surface. Of course, this “law” only works if someone is watching, remember on  ZDnet .

There is also that other “Law” of Linus which says that a bug is a bug, whether it affects security or something else, although this is less commonly talked about. However, it applies just the same because, after all, most eyes in open source projects don’t usually look for security flaws.

Where is the perception in The Linux Foundation and Snyk research? Nearly half of respondents (41%) do not trust open source when it comes to security, while a larger percentage take a radically opposite position, stating that the open source they use is very or extremely secure. What is each group based on to position itself one way or another?

Other data provided by research by The Linux Foundation and Snyk.

The truth is that it is not made clear, although such conflicting positions give food for thought. First of all, they are professionals who understand the theory of how open source software development works, in which, indeed, eyes that see are of vital importance. But a project like the Linux kernel used by many large companies and organizations around the world is not the same as a specific dependency on it or a much smaller project.

Be that as it may, it is a fact that open source by its very nature offers an additional layer of security over proprietary software, a level of transparency that can be very helpful in many cases, but also detrimental in many others, smoothing out irresponsible decisions. for the sake of “someone will see and fix it”, so as not to worry about the issue and save something.

On the other hand, it is equally true that the same open source ecosystem has been changing mentality for several years now, focusing more  on the most commonly used components ,   doing more to discover vulnerabilities ,   funding improvements  , and leading  other types of initiative  in the same direction. A lot has been done around Linux and the most popular open source software in the business world, and the fruits of it are already there.

Attention, scroll to continue reading

Thus, it is recognized, for example, that  Linux fixes its security flaws faster than Apple and Microsoft  , and while there are parties who rightly claim that the number of such flaws is much higher in Linux or open source in general, which is true, also because of the transparency of the model. However, it is becoming increasingly clear that transparency is not enough to ensure a safe environment.

And the fact is that vulnerabilities are commonplace in all kinds of software, regardless of the model on which it is developed, and while open source has its advantages, it is not free from the same problems that the industry has faced. deal with decades: it is very important to worry about security without shifting it to third parties.

As for the study, it provides other interesting data, pointing out, for example, vulnerabilities that are commonly found in the average application, the type of response, or the tools that are included in the process, but the emphasis on Perception is one of the key points worth paying attention to.

To see the full study, you can follow  this link  (PDF).

Leave a Reply

Your email address will not be published.