Open source is a philosophy and approach to software design where the developers share their source code with the world with the intention of both helping other developers and improving their project by incorporating feedback from the community.
But, just like a person can see the points of entry to a home by looking at the construction plans, a hacker can figure out potential exploits by taking a look at the source code.
It’s undeniable that the open-source movement has been a big part of the industry, and that we would be living in a very different world if we didn’t have open projects like NodeJS, languages like Python, or frameworks like Angular. But it’s worth considering if there are risks we’re taking because of those projects.
So, it’s worth asking – are you at risk for choosing to work with open source technology?
PHP: A case study
In a recent event, the PHP repository was the victim of a hacker attack. The social engineering employed by the hackers was simple, yet almost effective. First, they used the account of one of the most renowned developers in the PHP community to make a change in the repository to fix a bug.
The bug was actually real, and the code for all intents and purposes would have fixed it, but here is where it gets interesting. The same hackers then used another account from a different community guru to make a change to the first code to fix a typo that they intentionally left behind.
The trick is that they also added a few lines of code that, if executed, would give the user complete access to the server. Thus, it’s as if every single PHP-based web page that downloaded the change would have had their admin password changed to “1234”.
They hoped that by injecting the malicious code in a simple “fixing a typo” commit from a reputable source, the backdoor would be ignored and it would get pushed onto the main branch, at which point it would have been publicly distributed.
But that would only affect pages running on PHP, right? Well, yes, but this server-side scripting language is used by 78.9% of all websites. Facebook, for example, still relies on PHP. Can you imagine the implications of having a backdoor to one of the biggest data-gathering companies in the world?.
This wasn’t even the first time that something like this happened. In 2019, PEAR, one of PHP’s most popular package repositories, had to be taken down when it was discovered that hackers managed to change the package manager with an infected duplicate.
The community
So far it would seem like we are building a pretty strong case against using open source projects, right? Well, there is something to be said about the risks of relying on technology with a readily available source code and which could theoretically be altered by anyone with ill intent.
But there are also some strengths that we have to talk about. In both cases cited above, it was the PHP community who came to the rescue and stopped the malware from spreading like wildfire. Granted, some people did get infected with the PEAR hack, but as for the other one, it was caught before it went live.
For every person who is abusing the open-source philosophy, there are thousands of developers fervently devoted to the projects, going over every small change, patching up bugs, and improving over the code. Open source technology is like a breathing living entity that continues to evolve and grow with time.
PHP isn’t the first nor will it be the last open-source project to be targeted by hackers. But, to play the devil’s advocate, one of the project’s biggest vulnerabilities was that it was hosted on their git repository. Fortunately, the project is being migrated to GitHub since the last few security breaches.
On the other hand, other technologies like Django have cemented their reputations as dependable open-source solutions, in great part because of how security conscious their developers have been since the beginning of the project.
Therefore, a big and devoted community can be a security asset. All it takes it’s a fresh set of eyes to find a bug or an exploit where the original developers didn’t see anything wrong with their code. In fact, sometimes an open-source project can be even more secure than the alternative.
Learning from Naughty Dog
Naughty Dog is a well-known game development company that has published some of the best PlayStation games on the market. In 2020, before the release of one of their biggest projects, every video from the game was leaked on the internet.
Rumors were abounding, some claiming that it was an inside job from a discontent developer who was rebelling against the company. The truth, unfortunately, isn’t as juicy.
The leakers were in fact enthusiasts who searched the files of another of the company’s projects and found that one of the patches had the key to access Naughty Dog’s AWS S3 server. Lo and behold, the server had the files for the current project.
While it may seem like an obvious mistake, this kind of exploit is far more common than anyone would like to admit – some of the world’s biggest hacks have been due to human error. In this case, there is a high chance that the developers had been using the same protocols from project to project, and since it had never caused an issue before, there was little room for concern.
This is the kind of obvious oversight that is often caught by an active community. Having many people from different backgrounds going over the same code increases the odds of someone finding a bug and offering a solution.
That, in essence, is the spirit of open source, the idea that no engineer can do a better job alone than thousands can do working together.
So, what’s the answer?
Yes, there are inherent risks that come with open source, but the same can be said for even the most zealously guarded projects. The positives of using open-source solutions in your projects outmatch the negatives by a thousandfold.
Open source can be a security risk if we implement it without foresight. A developer who carelessly uses libraries without going over its source code, or at least researching potential security risks is asking for trouble.
As such, the best strategy for security by design is to hire developers who are security conscious, to establish early on in the project the groundwork to build secure software, and to have a very strict and thorough testing policy.
An open-source technology can be a security risk, as long as you don’t understand the inherent risks and take precautions, much like how riding a motorcycle can be extremely dangerous, especially if we disregard the recommendation to wear a helmet.