The Necessity Of Security Audits For Open Source Projects

Featured article by Karl Zimmerman, CEO of Steadfast, a leading IT Data Center Service company

Curl, an open source application installed on hundreds of thousands of servers, was found to have several serious security vulnerabilities in a voluntary audit. The vulnerabilities were quickly fixed, but the incident exemplifies the importance of external auditing of the open source projects on which we all depend.

That curl contained security vulnerabilities doesn’t necessarily reflect badly on the application or its developers — all software has bugs. It does, however, demonstrate why it’s so important that open source applications, some of which are crucial to the functioning of the web, are carefully scrutinized by experts. It’s not enough to rely on the open source ideal that “with enough eyes, all bugs are shallow,” because it has to be the right eyes, with the right expertise and incentives.

Any application of curl’s complexity is bound to contain, amongst many thousands of lines of code, a mistake or two. It’s expensive, slow, and impractical to develop feature-rich software that can be verified bug-free. What’s important is that those bugs are found and squashed as soon as possible. Bad actors will enthusiastically take advantage of any vulnerability to steal data or damage services.

Curl and its associated library — and hundreds of other open source applications — are not well-known outside developer and tech circles. If you asked the average person whether they used curl, they’d likely respond that they don’t and have never heard of it. In reality, such applications are everywhere, and almost everyone who uses the internet interacts with them directly or indirectly.

It’s impressive that curl’s developers volunteered to have their code audited. The web is now a little safer and more secure. Many aren’t quite so willing to have their code examined by experts.

Of course, anyone can look at the code of open source software. There’s no reason the curl bugs couldn’t have been discovered earlier. So what’s the value of a security audit when the code is entirely open to scrutiny. Security audits are expensive. Curl’s was paid for by Mozilla’s Secure Open Source project.

In reality, scouring a large codebase for bugs is not exciting. It’s downright boring compared to adding new features, creating new applications, and bikeshedding about this and that. Consequently, “voluntary” security audits aren’t common. Without a personal incentive to go bug hunting, there has to be an external incentive — money.

In addition to which, developers have different levels of skill and areas of expertise. Security audits by developers and security researchers who know what they’re looking for and have experience auditing large codebases are more likely to be successful.

The takeaway message here is that open source applications essential to the functioning of the internet should be subject to regular, professional code audits. The Core Infrastructure Initiative and Mozilla’s Secure Open Source project are a vital part of making the web safe for users and businesses.

About Karl – Karl Zimmerman is the founder and CEO of Steadfast, a leading IT Data Center Service company.