Riesgos Open Source Development

The perils of Open Source software, starting with Java

29/11/22 5 min. read

It was 2018 when we were shocked because Java was no longer free (in some cases as we explained here y here). In 2018 that could have been seen as an Open Source paradigm shift where Java was the most important example but, to be honest, it seems everyone adapted quite well. That was the beginning.

From the language selection to the deployment pipeline, thru the libraries there are perils to be aware of in the software development lifecycle. Let’s see a few of them. 👀

The Log4j case

Later in December 2021 a zero-day attack to Java happened because the Log4j/ Log4Shell vulnerability and some subsequent vulnerabilities. Apart from the technical details of the problem there was an underlying root problem: Log4j was developed and maintained by few people in their spare time because “it was shareware”. A close look to log4j attack can be read here 👈👈.

riesgos opensource

Thousands of companies were using a piece of software that showed to be critical; and it was supported by some good willing guys, think about that. Log4j is in the top of most used libraries 🌎 (in November 2021 it ranked 252nd of 7.1 million, and it is used by more than 7000 other Open Source projects and libraries).

“Who maintains this library? Who knows?” 🤔 Happens with a lot of libraries. But the log4j incident changed nothing. “

Caution while using Open Source software 👇👇

One of the others is called ProtestWare and it happens when an Open Source developer simply deletes his code or makes it unusable. It has happened several times, the more relevant could be the “leftpad incident” or “colors and faker” self-hijacking.

The causes for this ProtestWare are various but all root to the fact that many Open Source developers are not having any recognition or compensation from their work. More on this, sometimes they get pressured to comply with regulations while still working for free. Companies using their software barely contribute with anything.

More recently another software flaw in an Antivirus software prevented users from reaching google.com and Youtube.

Is this because Malware Bytes is free for home users? Probably not, but the case makes a point: free things are good until they stop to be free for any reason. That is why paying for things that are worth is good, especially for companies.

Why paying for software instead of using opensource? ❓❓

Because at the end, it may cost you more, much more. Back to the log4j vulnerability, have you tried to measure how much it cost you the cyber-research, patching and re-deploying all the applications that used the library? And doing it several times because there bug was not solved in a single patch but over several patches in a long timeframe (this is a summary of log4j bugs).

Wait, there’s more 😱

Were you able to locate absolutely all the log4j instances running in your systems? You still may be vulnerable to log4j errors after nearly one year.

Development pipelines risks

When I knew of the “leftpad incident” I thought “what? Did someone import that as a library?” The piece of code is tiny, I guess that many modern development languages should include it by default but even if they don’t do it I would just copy the code into mine. “Heretic!” have I heard? Probably. Copying code may break the attribution clauses in the licence but stack overflow solutions do that all the time. Also it passes the maintenance responsibility from the creator to me.

But it also isolates me against ProtestWare and Poisoned Pipeline Execution or other security risks in the CI/CD spectum like the one British Airways suffered because of a modified version of a library they used. As you can see every option has its benefits and drawbacks but security checks have to be extended to the complete project lifecycle.

Sometimes big companies are not fully aware of the hidden costs of not doing software development properly. Not just Java, Javascript, R or Python (I mention those as examples of languages with heavy use of libraries) but literally anything you just use or import.

Setting the vigilance in all the project stages 🧐

Even choosing the language: Microsoft Azure’s CTO, Mark Russinovich says that C/C++ should be deprecated not only because they are non-GC languages (and still useful in many development landscapes) but because the development in those languages is prone to more errors. Microsft is supporting Rust because it is memory safe, but also because is nearly as efficient as C/C++ (read the paper here) whereas Java sits in the middle of the table.

To be fair, we have to recognize that Open Source is one of the main drivers of “modern” IT. Without Linux, Java, MySQL and many others we might still be thriving to evolve from classical 2 layer architectures.

Long life to Open Source but watch out what you are really doing 😉

Santander Global T&O is a global company of Santander Group with more than 3,000 employees and based in Madrid, we work to make Santander an open platform for financial services.

Check out the positions we have open here to join this great team and Be Tech! with Santander.

Follow us on LinkedIn and Instagram.

Juan Tavira

Juan Tavira

Universia

Specialist, architect and interdisciplinary geek passionate about all kinds of innovations. This is easy to say for oneself, but when my computing colleagues, my geek friends and even my wife say so, then it must be true somehow ;-). I also like to build violins as a hobby. I see code

 

👉 My LinkedIn profile

 

Other posts