Free software now plays a critical role across the entire computing world… and thus across the world in general. The issue of how such software is maintained has gradually become a matter of concern, prompting the US Congress to introduce a bill in 2023: the “Securing Open Source Software Act”. The Open Source journey, from a computer printer to the US Congress, via the compromise of the XZ library: a look back at a fascinating story.
The tone of the “Securing Open Source Software Act” is set in its opening lines: “Open source software fosters technology development and is an integral part of overall cybersecurity”; “a secure, healthy, vibrant, and resilient open source software ecosystem is crucial for ensuring the national security and economic vitality of the United States”; “open source software is part of the foundation of digital infrastructure that promotes a free and open internet”. “Without such ‘free’ software, the Internet as we know it today would not exist, and would never have existed”, says Stormshield Technical Leader Yvan Vanhullebus. But the question over the interchangeability of the terms “free software” and “open-source software” is an ever-contentious one.
Without such ‘free’ software, the Internet as we know it today would not exist, and would never have existed.
Yvan Vanhullebus, Technical Leader Stormshield
The origins of Open Source
The first term to be adopted was “free software”. This concept was born in the United States in the 1980s, under the impetus of Richard Stallman. Prompted originally by a simple desire to be able to print a document, this fervent advocate of the “hacker” culture has gone down in history as an opponent to the privatisation of software and the emergence of ever-more restrictive legislation for users. For example, the “Computer Software Copyright Act” was passed in 1980.
This is what prompted Richard Stallman’s 1985 establishment of the Free Software Foundation, a non-profit organisation that sets out the four foundations of Free Software: the freedom to run the program as you wish, for any purpose; the freedom to study how the program works, and change it so it does your computing as you wish; the freedom to redistribute copies; and the freedom to distribute copies of your modified versions to others, giving the whole community a chance to benefit from your changes. Faced with possible interpretations of the term “free”, the same Richard Stallman replied in his authorised biography: “Don’t think ‘free’ as in ‘free beer’; think ‘free’ as in ‘free speech’.” In other words, we’re talking about freedom, not free gifts. But this ethical approach to the concept is far from unanimously accepted within the community. To end this linguistic ambiguity, American scientist Christine Peterson, then executive director of the Foresight Institute, invented the term “Open Source” in 1998. She tells the story of this critically important lexical change in a long and fascinating account. Alongside names such as Eric Raymond and Bruce Perens, she participated in the creation of the Open Source Initiative (OSI) in the same year. This abandoned the original terminology of “free software” in favour of “Open Source software”.
Don’t think free as in free beer; think free as in free speech.
Richard Stallman, programmer and free software activist
So what are the differences between “free” and “open-source” software? In terms of definitions, “free” software refers to the ability to use, study, modify or duplicate it, whereas the term “Open Source” software refers to a development philosophy under which all or part of the source code is reused. Open Source projects are usually overseen by one or more maintainers, but encourage external contributions such as the addition of new features, feedback on bugs (and fixes to them), and security improvements. In other words, Open Source is a collaborative software development movement.
Open Source: a shift towards community collaboration
In order to ensure that software remains open and free, a legal framework needed to be defined. This led to the creation of several different user licences. The best known is the GNU GPL (General Public License), the first version of which was created in 1989 under the impetus of the four foundations set up by Richard Stallman to specify the legal framework for the distribution of free software for the GNU project. Other licenses were to follow, such as Apache 2.0, MIT, BSD and Creative Commons, each incorporating their own permission and code reuse levels.
The development of these licenses would enable the emergence of many projects such as the launch of the Linux kernel in 1991 or the Open Source license for Netscape Navigator in 1998 (which served as the basis for creating the Mozilla suite). In 2001, Wikipedia became one of the flagship projects of the Open Source movement, with the aim of using collective intelligence to create the largest source of knowledge on the Internet. The subsequent launch of Android by Google in 2008, and the creation of GitHub in the same year, testify to the growing integration of Open Source into consumer technologies and software development infrastructures. The culmination of this adoption, at least superficially, was to come in 2014 in a speech by Microsoft CEO Satya Nadella that included the declaration, “Microsoft loves Linux”. In the Open Source community, however, many recall the words of his predecessor Steve Ballmer describing Linux as “a cancer that attaches itself in an intellectual property sense to everything it touches”.
From a business point of view, Open Source embodies a specific business model. If a project is Open Source, it is possible to create variants that exist beyond the control of the company; the economic model revolves mainly around services or maintenance (everything except licences). This makes it financially worthwhile for companies to adopt open-source bricks or applications, provided that they are well aware of the constraints of each licence, as pointed out by David Gueluy, R&D Manager and Technical Advisor at Stormshield: “The GPL licence famously requires the redistribution of any changes made to the source code. This obligation has created complex legal situations for some publishers, faced with demands that they publish all their source code – even in cases where only a very small piece of GPL code has been integrated into a very large program.” By contrast, licenses such as BSD, MIT and Apache offer more flexibility, allowing companies to modify and use the code without having to share the changes. This makes it attractive for companies to use and develop Open Source projects, as confirmed in Microsoft statistics which reveal that 60% of images hosted on the Azure cloud are based on the Linux kernel or free software. “I always smile when I read yet another report that Open Source is being used more and more, or that Open Source is assuming a prominent role in so-and-such a sphere,” says Vanhullebus. “Is this genuinely a current trend, or is it something that we’re only just starting to notice now?” After all, the adoption of Open Source is a phenomenon that is sweeping across all sectors, including the design and development of cybersecurity products.
I always smile when I read yet another report that Open Source is being used more and more, or that Open Source is assuming a prominent role in so-and-such a sphere. Is this genuinely a current trend, or is it something that we’re only just starting to notice now?
Yvan Vanhullebus, Technical Leader Stormshield
The importance of opening ecosystems up safely
Like everything else, Open Source has its supporters and critics – and several topics are under debate among critics of Open Source. The first debate, which now dates back about thirty years, was whether the Open Source approach itself could even work. “From the very beginning, and the earliest projects, we were able to answer that question and settle the debate quite quickly,” says Vanhullebus. This then led to the second debate over whether the use of Open Source tools should be reserved exclusively for long-haired geeks with glasses.” This second debate still persists in certain environments and sectors, but has clearly calmed down with the rapprochement between Open Source and UX. Finally, the third debate is more specifically connected to the cyber world itself: can a cybersecurity product that uses Open Source components be reliable? The debate revolves around the fear that a cybercriminal may discover a vulnerability and hold onto it, with the intention of exploiting it, such as Heartbleed from the OpenSSL project discovered in 2012, or Log4J. Another argument advanced by critics of Open Source concerns the possibility that bad actors may contribute to an Open Source project, introducing weaknesses that could appear to be simple bugs... In a 2020 report, GitHub argued that 17% of the software bugs on the platform had been intentionally placed in the code by malicious actors. The compromise of the XZ library, the basic building block used in the Linux environment, contributed to these statistics a few years later. At the end of March 2024, a Microsoft employee issued an alert to the Open Source community after discovering an anomaly in XZ packages. Referenced since then as CVE-2024-3094, this phased attack combines social engineering techniques and long-term preparation (between several months and several years), to gradually and discreetly insert a backdoor. A potential large-scale supply chain attack foiled just in time...
But Open Source also has its supporters; indeed, overwhelmingly so. They explain that Open Source improves security through its transparency and community collaboration. The reason is that access to the source code makes it easier to detect vulnerabilities and thus correct them as quickly as possible, compared to a “black box” approach in which visibility is limited. Gueluy agrees: “What is remarkable about the security aspect of Open Source projects is the concept that you can go and check for yourself that there is nothing abnormal in the code… no backdoor, or at least, if you do find something, you have the ability to correct it yourself”.
What is remarkable about the security aspect of Open Source projects is the concept that you can go and check for yourself that there is nothing abnormal in the code… no backdoor, or at least, if you do find something, you have the ability to correct it yourself.
David Gueluy, R&D Manager and Technical Advisor Stormshield
And this was indeed the case with Heartbleed, Log4J and the XZ compromise: the responsiveness and collaboration of the Open Source community were decisive in resolving them. It's worth noting that despite the noise surrounding the XZ compromise, it's important to point out that this is neither a new phenomenon, nor one specific to the world of Open Source. At the end of 2020, Sunburst malware was introduced into the Orion software development chain at SolarWinds. In all, more than 18,000 companies and institutions around the world are thought to have been affected by this attack. An episode that clearly illustrates that even non-Open Source solutions remain susceptible to vulnerabilities.
This Open Source approach is also supported by public entities, such as ANSSI in France. The French agency is involved in many Open Source projects, both through the contributions of its agents and the publication of several tools. This investment “addresses a real security and sovereignty issue, that of protecting common assets and investing in technologies and solutions for the future”. And in so doing, it actively contributes to the development of free software such as Linux, the Debian distribution and the Suricata engine. After all, there is no shortage of Open Source cybersecurity projects. Gueluy cites Vault, “a solution produced by HashiCorp, a company based on the principles of Open Source, which enables the secure storage of secrets”, KeePass (password manager), TheHive (Incident Response Platform), Metasploit Framework (a pentesting tool) and MISP (a cyber-threat intelligence sharing platform), which show the impact Open Source has had on the development of robust cybersecurity solutions. For example, OpenSSL, ranked in the top 10 by the Open Source Security Index, is one of the leading communications security projects, and is used both in commercial products and in Open Source solutions. “Companies are attracted to OpenSSL’s offer of access to a crypto library that is already proven and widely validated by the community, so they don’t need to start from scratch,” Gueluy explains. And here we reach the heart of the subject: creating a new product (other than a niche product) not based on any Open Source technology would be utterly impractical, as substantial investment would be required to (re)develop available existing components that have taken years to build. And having made allowance for this state of affairs, it is possible to establish a virtuous circle by scrupulously auditing the versions of the Open Source components for the discovery of potential vulnerabilities, quickly publishing patches when these potential vulnerabilities are discovered, and contributing to the projects (patches, functionalities, funding, etc.).
Open Source, with its transparency and collaboration-based approach, is proving to be a driving force for innovation in the field of cybersecurity. However, care is required regarding the new regulatory challenge posed by the Cyber Resilience Act (CRA), which is due to enter into force in 2024. The aim of this regulation is to oblige developers to take responsibility in the event of a security defect in the code; however, although such a development is necessary to combat the black box approach, it does not yet fully satisfy the community… and the debate will continue to rage.