Ruslan Rakhmetov, Security Vision
Import substitution is often associated with the transition not only to domestic software, but also to Open Source solutions, while companies face a choice between free and proprietary software, between different types of licenses and software delivery models. There are polar opinions: some believe that proprietary software is more reliable due to the closeness of the code, and commercial paid software is more reliable than freely distributed software, but Open Source enthusiasts are sure of exactly the opposite. Cybersecurity professionals often have to manage the relevant legal and information system risks and make a choice between different types of software and types of licenses, taking into account the long-term impact of this choice on the company's IT infrastructure and attack surface. In this article, we will discuss the different types of software and licenses, as well as evaluate their impact on cybersecurity.
Let's start with the basic classification of types according to their intended purpose:
· System (general) SOFTWARE: manages the interaction of the application software with the device hardware and ensures the operation of the application software. Examples of system software include operating systems (OS), device drivers, OS utilities, device firmware, database management systems (DBMS), software development tools, and information security tools.
· Applied (special) SOFTWARE: performs business tasks through user interaction. Examples of application software will be various office applications (email clients, document and spreadsheet editors), collaboration tools, messengers, browsers, business applications (ERP, HRM, CRM systems, etc.).
According to the method of software acquisition, use, and distribution, it can be divided into the following types:
1. Free and open-source software (English FOSS, Free and open-source software)
1.1. Free Software
Free software is software that is distributed under conditions that allow users to use it for any purpose. In the English interpretation, this type of software is called Free software or Libre software - the second name does not emphasize its free distribution, but rather the user's freedom to dispose of his copy as he pleases, regardless of the price he paid for such software. A program is considered free if it literally "respects" the user's freedoms, namely, it grants him 4 rights:
· Execute (run) a program for any purpose;
· Study the operation of the program and modify (modify) it so that it meets the specific requirements of the user;
· Distribute copies of the source program;
· Distribute copies of the program modified by the user.
The ideology of free software implies that it can be commercial, and the desire of commercial companies to provide paid professional technical support for free software is also supported. The sale of free software (both source and modified) is also supported, while emphasizing that if a software license prohibits users from making copies of the program and selling them, then such a license (and the program) is not free. When working with free software, it is important to take into account the legal rules.: The concept of "copyleft" was developed. Copyleft, literally "copyright") as opposed to the usual "copyright" (English Copyright, copyright), which implies that the developer of the program officially recognizes it as free and requires that all modified and expanded versions of it also be free. In addition to copyleft licenses, there are more liberal licensing systems - for example, the permissive software license does not require that modified versions of the program be free, while information about the original developer with copyright must be preserved, and a public domain license does not provide for registration and copyright protection in general.
The American non-profit organization the Free Software Foundation (English Free Software Foundation, abbreviated FSF), founded in 1985 by the ideologist of free software Richard Stallman, emphasizes that the authors of free software have legal ways to protect themselves from attempts by unscrupulous players to make his program private - in fact, to appropriate the program, for example, in order to further sale without attribution. One of these ways is to use the GPL (GNU General Public License) version 3, a copyleft license that legally protects free software from attempts to impose additional restrictions on the program and turn it into proprietary. The GPL v3 version was released in 2007, and Richard Stallman pointed out that with its release, the incorrect practice of using GPL-licensed software of older versions in some devices would be regulated, the developers of which forbid users to modify and run modified versions of the software. FSF members are still attentive to the freedoms of users of end devices - for example, the Librephone project was recently announced, in which it is planned to develop an OS for smartphones based on Linux, which will be supported by the free software community.
1.2. Open Source Software
Open Source software is supplied with the source code of the programs and must meet a number of criteria:
· the distribution and sale of programs is not limited to;
· The program must include the source code, and the distribution of the program must be supported both in compiled form and as source code for self-compilation by users.;
· It is allowed to distribute modified versions of the program while maintaining the terms of the Open Source License of the original version of the program.;
· Discrimination against people, groups, industries, and business lines is prohibited, the rights to the program under the Open Source license are transferred along with the transfer of the program, and the license should not be tied to a specific implementation, should not prohibit sharing with programs with other types of licenses, and should be technologically neutral.
Thus, open source software has a lot in common with free software - for example, the concept of free software requires that a program can be modified and distributed with modified copies, which requires access to the source code, which is why most Open Source programs are also free software. However, these two approaches have certain ideological differences, which Richard Stallman emphasizes.
The Open Source Initiative is an American commercial organization founded in 1998 to support developers and promote open source software. The Open Source Initiative website contains a list of various types of Open Source licenses. In particular, there are such popular licenses as:
· Apache License, Version 2.0 (Apache-2.0)
· GNU Affero General Public License version 3 (AGPL-3.0-only)
· GNU General Public License version 3 (GPL-3.0-only)
· GNU Lesser General Public License version 3 (LGPL-3.0-only)
· Mozilla Public License 2.0 (MPL-2.0)
· The 3-Clause BSD License (BSD-3-Clause)
· The MIT License (MIT)
2. Proprietary Software
The opposite of free software is proprietary software, in which the copyright holder (author, developer) reserves all rights to the Software and prohibits end users from distributing and modifying it. Proprietary software can have both closed-source software and available source code, which, however, does not make it Open source software. In addition, proprietary software can be either paid (commercial) or free (freeware).
Examples of paid software monetization models can be:
· commercial software (COTS/MOTS, let's talk about it further);
· The adware program is free, but users see ads that generate revenue for the developer.;
· Donationware - the program is free, but the developer invites users to make a voluntary donation (donation) to it;
· Shareware is shareware that either runs for a certain time (trial, trial) and then requires purchase, or displays intrusive messages to the user (nags, nagi) about the need to buy a program. This category also includes software distributed using the Freemium model, in which only basic functionality is free, and advanced features are available after payment.
3. Ready-made commercial software (English COTS, Commercial-off-the-Shelf)
Commercial software, available for purchase to a wide range of business users, implies a "boxed" version (without custom modules), which can be implemented and configured either by the buyer himself or by an integrator (partner of the manufacturer), while technical support from the manufacturer is provided for the software. Most software products on the market are COTS solutions, however, if we are talking about the development or refinement of a custom solution (customization from the manufacturer), then another term will be used - MOTS (Modified Off-The-Shelf, modified by the manufacturer), sometimes the term bespoke software (literally - made to order BY).
When considering the various types of software and SPI that are planned to be implemented in a company, an information security specialist needs to take into account a number of aspects:
1) It is necessary to monitor the licensed purity of the software and SPI used. For example, a license may prohibit the use of software/SPI in the interests of third parties, so it would be legally incorrect for a holding company to use a product (say, SIEM) to protect subsidiaries. Similar difficulties may arise if it is necessary to install any software on a device that does not belong to the company - for example, on the personal smartphone of the head or on a laptop on the balance sheet of another legal entity.
2) The prevailing opinion about the high security of Open Source solutions compared to proprietary software is related to the prevalence of these types of programs. For example, Microsoft releases a lot of multifunctional commercial solutions that are used in large companies around the world and this attracts hackers who regularly find dangerous vulnerabilities in them; on the other hand, the BSD OS family (FreeBSD, NetBSD, OpenBSD) are quite compact and perform a basic set of functions, and their relatively low prevalence (compared to those Windows OS) reduces the attackers' interest in them. Despite the fact that there are orders of magnitude more vulnerabilities found in Microsoft products than in BSD, it is difficult to say unequivocally that BSD OSS are better written and more secure - if they become as popular as Windows, they will become the same target for hackers.
3) The availability of the source code helps when the project has a large number of interested users who will be able to identify vulnerabilities and errors in the code and report them to the developers - they, in turn, will have to respond promptly to messages. If the project is abandoned, but the target victim company uses it, then the attackers are likely to find potential vulnerabilities in the published source code, and the developer is unlikely to be able to quickly release an update. A successful thorough code and product security audit conducted by a well-known information security company can be an indicator of software reliability.
4) Vulnerability management can be non-trivial when working with Open Source: the need to monitor vulnerabilities in upstream packages, various modules and components, a variety of OS versions and types, and high requirements for the expertise of Linux administrators can complicate the rapid identification and elimination of vulnerabilities and errors.
5) The dependence of large-scale Open Source products on code written by uncontrolled enthusiasts is also a challenge. On the one hand, many attackers target popular GitHub projects, gaining access to which they can make large-scale malicious changes. To do this, they hack into developer accounts or try to obtain rights to make changes through social engineering (for example, by posing as an enthusiast willing to help). On the other hand, the developers themselves may violate the Open Source community's non-discrimination rules and introduce destructive features into the project due to hacktivism, as happened in 2022 with the popular npm package node-ipc, in which the author introduced destructive functionality that attacked Russian and Belarusian users.
6) Attackers take advantage of the confusion and rapid changes in the Open Source community - for example, they use the typosquatting technique to create fake malicious packages with names similar to the original ones, and attack users who make typos when searching.
7) Attacks on supply chains have become a big problem in the world of information security, and Open Source suffers from them to a large extent. For example, in 2024, attackers introduced a backdoor into the XZ data compression utility, which is included in most Linux distributions. Their actions were detected, but if the attack was successful, they would gain unauthorized remote access to millions of installations.
8) The lack of technical support for some Open Source products can also scare away those companies that do not have a strong Linux administrator who is able to solve the problem on his own. Given the shortage of experienced specialists, it may be difficult to find and retain such an expert.
9) Along with the described features of Open Source solutions, we should not forget about the disadvantages of some proprietary closed-source solutions, whose developers operate on the false principle of "Security through obscurity" and hope that closed source code will help protect the product from exploiting vulnerabilities in it.
.png)
.jpg)
