Security Current, an information and collaboration company by CISOs for CISOs, today published a collection of insights from leading Chief Information Security Officers (CISOs) on the use of open source software in their organizations.
Eleven CISOs from across industries weighed in, with most saying that open source software generally has been well vetted for security vulnerabilities by the vast development communities that contribute software to the libraries. What’s more, they note that open source can provide more flexibility than commercial software products, which often must be heavily customized at great expense to the user organization.
“Open source code is a part of any modern technology portfolio,” said Meg Anderson, VP & CISO at Principal. “Using open source can encourage creativity, increase agility, allow you to learn from outside your own company and attract talent engaged and networked in the community.”
There is a consensus among security executives that open source software libraries are generally safe to use. Bradley Schaufenbuel, VP and CISO at Paylocity, said, “I contend that open source software is actually more secure than commercial off the shelf software. Since the source code is available to anyone, that code can be reviewed for security flaws or embedded malware by many.”
Alexander Fry, Elsevier VP, Software Security Assurance, concurs. “I have conducted security-focused code reviews and security testing on hundreds of custom software applications that utilize open source libraries and frameworks. It has been my experience that most of the vulnerabilities are identified in custom code, not in open source libraries.”
CISOs agree that, though open source software can be acquired for free or at low cost, enterprises must still account for the lifecycle expenditures, including training, support and ongoing maintenance. They note that most open source products are updated frequently, and user organizations must check regularly for updates, patch when needed, and thoroughly test new releases before putting them into production.
“We need to always remember that there is absolutely nothing about open source output that alleviates the need to update/patch it if we rely on some part of it in our environments,” David Sheidlower, CISO at Turner Construction, noted.
Randy Marchany, Virginia Tech’s CISO, said that working with open source software is a cost-effective way to learn about new features that can benefit the enterprise. “Most commercial security software came from open source software so why not get it from the source? Open source software allows you to test out new features with the only cost to you being that of time. Once your team uses an open source tool, they can use that knowledge to better evaluate a commercial product,” Marchany said.