Ask an Open Source Security Expert: What Can We Learn From the Equifax Hack?
Although the most likely cause of the massive Equifax data breach was the firm’s own failure to patch a two-month-old bug, the inherent security of open source software has become a trending topic in tech news.
Mediacurrent’s resident expert, Open Source Security Lead Mark Shropshire, is well-informed to join the conversation. We asked him a few questions to get his take on recent events.
1.) Hi, Mark! What can you tell us about your background with open source security?
I have over twenty years of experience as an open source developer and I’m passionate about contributing back to the Drupal community. When I’m not blogging and podcasting at Mediacurrent, you can find me organizing local Drupal events in the Charlotte, NC metropolitan area and speaking at Drupal events.
In my role as Open Source Security Lead, I work with Mediacurrent clients to build and maintain highly secure websites. Day to day, I help to keep our team informed on Drupal security best practices, standards, and trends. Even though I am focused on Drupal, I find it important to understand security through a wide-angle lens by being a critical consumer of news.
2.) The Equifax cyberattack is one of the largest data breaches in U.S. history and it has received a lot of media attention. In the initial aftermath, some were quick to blame open source software for being inherently less safe than proprietary software. What’s your take?
All software, including open source and proprietary, can include bugs and security vulnerabilities. With proper planning, maintenance, and updating, open source software can meet and even exceed the security standards of closed source.
An active open source project with defined processes around reporting and resolving security issues provides a community with confidence and transparency. Having many “eyes” on the source code can allow more issues to be discovered and resolved. The Drupal Security Team is an example of an open source project with a mature process for maintaining security of the Drupal project and drupal.org. In addition, community projects such as the Guardr security distribution help educate the community on best practices around Drupal security.
3.) Was it fair for Equifax to place the blame on open source software?
Not if Equifax neglected patching known vulnerabilities. They are in the middle of PR damage control and they are under immense pressure to explain what happened. Security issues at Equifax are probably more complex than one piece of software having a vulnerability. Processes may have failed or not existed.To the public eye, factors such as how well systems and networks are monitored and what other softwares remain unpatched are critical unknowns.
Dries Buytaert, the founder and project lead for Drupal, wrote a great related blog post on this subject: Don't blame open-source software for poor security practices.
4.) From a security standpoint, how can enterprises be sure that open source software measures up to other software?
In addition to a dedicated security team, tens of thousands of Drupal developers lend “extra eyes” to monitor security, ensuring timely resolution for critical bug fixes. Open source is widely adopted by industries who place a huge emphasis on security. For example, US government sites favor Drupal. Careful selection and implementation of all software, open source and proprietary, is critical to create a secure platform.
5) What can we, the tech community, learn from this breach?
As we learn more, this may be a good case study to back security by design, a ground-up approach to developing secure software. I’m looking forward to continuing the conversation and exploring these themes in an upcoming webinar Security by Design - An Intro to Drupal Security on Thursday, October 12th. Hope you can join!
Guardr for Drupal 8: Meeting Enterprise Securite Requirements | Blog
10 Great Security Podcasts, Blogs, and Resources | Blog
Evaluating the Security of Drupal Contrib Modules | Blog