Skip to main content

Open Source Security. Is Open Source secure?

Marius Biebel3/11/22About 5 min

Open Source Security. Is Open Source secure?

I posted this as part of my projects because this Video was one of the first points where i got in touch with open source security and supply chain security. Open Source won. But there are downsides and this was the time where i was disillusioned and realised that there is a lot to do if we want to relly on open source for our modern infrastructure in the future.

The Video is in German and looking back i would do some things diffrent and talk about other more pressing issues. But i started working on this befor the Log4j incident and all the work on SBOM. Also i wanted to see what i can do with Blender to make a video. It was a lot of work and i don't think that i will do this any time soon again.

Please feel free to leave a commend. I'm happy for feedback.




In the following a transcription of the video in english

IoT devices

Whether it's a smart refrigerator, digital thermostat or intelligent lightbulb, no one would expect that the last Chinese junk product you bought on Wish would be top safe and receive regular updates.

Commercial software development

And even if you leave the Internet of Things and look at professional software developers, you will find that sometimes it can be quite difficult to get a big software developer to take a bug seriously.

Open Source Security

Criticism of such products and manufacturers can regularly be found in the media, but such criticism is rarely found about open source software.
No wonder, after all, open source means that anyone can read and improve the code. In this way, open source ensures that the code contains fewer errors, is of higher quality and is more secure. Or is it?
Until a vulnerability like Log4j comes around the corner.

While large open source projects name specific processes, such as a peer review, it becomes more difficult for medium-sized and small projects.
Anyone who wants to can read the code, but does somebody really do that? And if so, what exactly is taken into account? is the reviewer looking for bugs, checking architectural concepts, code quality or other conventions.
And who now thinks "Well, of course I would pay attention to all these aspects." didn't even notice that "Security" wasn't part of the list.

The University of Minnesota showed here an extreme example in April. Here, students submitted code to the Linux Kernal that was intentionally including bugs.
They were discovered in the process, but the reaction of the Linux community shows that such events are not the norm.
As a result, the University of Minnesota has been suspended from development on the Linux Kernal.

In code reviews, sooner or later errors are always overlooked, i mean, if they were perfect, you wouldn't need a test anymore.

Especially when it comes to open source security, you should consider how much effort is actually invested in security.
The Linux Foundation conducted a survey among the open source developer community at the end of 2020.
The developers stated that they only spend 2.27% of their time dealing with security issues.
This is especially controversial when you consider that over 51% of developers say they are paid by their employer or by third parties for their work on open source projects.

Among the questions the survey asked "Do you have a security policy in place?". Only 26% answered "yes".
And what the difference between "saw but did not answer the question" and "no answer" is not realy clear to me.

You should also be aware of the lifecycle of open source.
Projects like this work great when you find people who are enthusiastic about developing them in the future. Bug if the developers leave the project, the program itself might still work, but the architecture behind it may already collapsed.
And the worst part is that such projects usually don't die with a bang. But quietly.

Don't get me wrong, open source is a great thing. But it's not a seal, not a license, not a certificate and not a standard.
Open source means you can read the code. No more.
It is a fallacy to believe that software is secure because it is open source.

Open source handling of issues

What trubles me most is the question how to deal with vulnerabilities in open source projects, especially when there is nobody who wants to take care of them.
While you can build up public pressure on private companies, this is counterproductive on open source projects with voluntary developers. So what to do?

Selenium

In December, the vulnerability in Log4j affected everybody in one way or another.
A vulnerability in a Java library makes almost the entire Java ecosystem vulnerable. And has been since 2013.
But Log4j is not an isolated case. There are numerous vulnerabilities in open source projects. Often they aren't made to be secure.

I set up a Selenium GRID a few months ago.
Selenium is a tool for automating websites which is mostly used to test web based user interfaces.
With a few lines of code you can automate a Google search or simply generate clicks on your own YouTube videos.

So... uhh not that I would do that. That would violate the Licence agreement and stuff ...
Back to topic.

Since it can be quite bulky with a fully automated build chain to carry a bunch of browsers, you can outsource them with a Selenium GRID. Put simply, a GRID represents a bunch of browsers that are made available over a network address them automatically.

Wouldn't it be stupid if such GRIDs accidentally ended up on the Internet, wouldn't it? But hey, even if they do, who's supposed to find him?
Well, with the right tools, it's actually quite easy. There are numerous systems that can be exploited in this way.

I asked the developers about this issue, to which I got the reply that this was already a known issue and that the users were informed in the documentation that the systems should be protected with appropriate network measures.

That is good, but in my huble opinion it is not ideal that this reference is placed at the bottom of the documentation. After debugging. I would suggest placing it in the 3-Steps guide to Docker containers where the 3rd step reads "Thats it".

Wireguard UI

Moving on, the Wireguard UI is an even more extreme example.
This is a web server that is intended to serve as a Web interface for Wireguard. It offers a convenient way to operate your own VPN. You can simply throw a Docker container onto a server and the service is simply exposed on the Internet. Without a password or other security measures. So if you are looking for it, you can find these servers on the Internet and use a free VPN.
That seems more like a network-insecurity tool to me.

I also tried to contact the developers here and have not received an answer to this day. It seems that the project is no longer being actively developed by anyone.

Federal Architecture Stack

So the question arises as to which open source software should be used at all. While private companies can be certified in a complex and expensive way, is not usual for open source software to do so. You have to evaluate for yourself which projects you trust. Regardless of whether you review the code yourself, use a scanner or pay attention to any other key figures of a project, it remains complex.
The federal government has put together a software stack for its own authorities. The list ver 200 pages diffrent tools and recommendations how to use them. Also the Linux Foundation is trying to introduce scorecards for open source projects with the Open Source Security Foundation.

Open source is not a matter of course. No one has an obligation to provide safe free software. It's quite normal when everything works. Until something doesn't work. Next time, just take a quick look to see when a program received the last update, go to Github and look over the issue lists of a project your use. Or just ask yourself for a moment what is protecting you right now. A firewall, a password, a certificate or a key, or is there maybe nothing?

Update

Before the end, a small update on Selenium. After 6 months, I still got a positive answer that the GRID had some functions built in to protect your system. I haven't been able to test it myself yet, but I'm really happy that the idea of ​​the open source community process is working here and that there are people who help.

Edit this page
Last Updated
Contributors: mariuxdeangelo,mbiebel,Marius Biebel
Bugs are attracted by light, so use a dark theme.
Copyright © 2025 Marius Biebel