eID
Secure identities

Part II: A look at the potential risks

In the second part of our blog series on the resilience of open source, we look at the risk factors and draw a conclusion from the findings of both blog posts.

Deceptive security benefits

Since the Heartbleed hack in 2014 at the latest, it has been clear to everyone that the availability of software as open source alone does not bring any security gains. The Heartbleed hack was a serious security flaw in the OpenSSL library, a widely used software for implementing Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. These protocols are crucial for the encryption and secure transmission of data on the Internet. Cryptologist and security expert Bruce Schneier describes the scope of the Heartbleed bug as: "Catastrophic is the right word. On the scale of 1 to 10, this is an 11." Many users in particular have relied on the security of an open source project. It is estimated that around 66% of all web servers worldwide used OpenSSL as a security library. However, the OpenSSL library was only maintained by two part-time developers at the time.

Comic of a modern digital infrastructure
© xkcd.com | A pictorial representation for clarification

At this point, I would like to mention that even proprietary software is not free from errors, as the Crowdstrike computer outage, for example, has clearly shown us. This worldwide disruption of computer systems on July 19, 2024 was caused by a failed software update from the cybersecurity provider (one of the world's largest) Crowdstrike. Experts categorized the computer failures as unprecedented due to their global scale. The BSI, which at the time assessed the threat situation as level 3/orange out of four levels, also wrote: "The IT threat situation is business-critical. Massive impairment of regular operations". Many operators of critical infrastructure were also affected, such as energy suppliers, transport and traffic companies, public administration and hospitals.

Examples of resilient open source projects

There are numerous examples of successful and resilient open source projects that are used in critical environments:

  • Linux: As one of the most well-known open source projects, Linux powers servers, supercomputers and even mobile devices such as Android. Its robustness and adaptability make it a preferred choice for many companies.
  • Apache Web Server: The Apache HTTP Server is another example of an extremely reliable and widely used open source project that supports millions of websites worldwide.
  • Kubernetes: This open source container orchestration system has proven to be extremely resilient and flexible and is used by many large companies to manage their container infrastructures.
  • OpenSSL: The widely used open source software library was developed for the implementation of security protocols such as SSL (Secure Sockets Layer) and TLS (Transport Layer Security). It enables the secure transmission of data via networks and is an essential component of Internet security. OpenSSL offers a wide range of functions, including the encryption of data, the creation of digital certificates and the support of various cryptographic algorithms. Due to its flexibility and performance, OpenSSL is used in many applications and web servers.

Open source software as a robust and future-proof choice

The resilience of open source software stems from its community-driven development, transparency, adaptability and independence. These characteristics make open source software a robust and future-proof choice for companies and organizations that depend on reliable and adaptable solutions. In a world that is constantly changing, the resilience of open source software offers a key advantage in meeting the challenges of today's and tomorrow's technological landscape.

At the same time, it should be noted that continuous maintenance and further development are essential for its security. The maintenance and costs of open source software are important aspects for both developers and companies. Although it is often available for free, there are various factors that can influence the long-term costs and maintenance effort, such as community involvement, documentation, regular updates, implementation and customization, and possible training. Overall, open source software offers many advantages, including flexibility and customizability. However, it is important to carefully consider the maintenance and associated costs to ensure that the chosen solution meets individual requirements and is sustainable.

Exchange of open source software for public administration

Governikus already develops and maintains several open source projects on platforms such as "GitHub" and "Open CoDE". Here, the public administration can jointly develop open source software and exchange it in a legally compliant manner. For example, we provide open source software development kits (SDK) for the AusweisAppeIDAS middleware and, most recently, our eID server ID Panstar. The OSCI library will also be published on OpenCoDE in the near future. Governikus thus enables service providers to use it in their own projects.

If an SDK sounds exciting for you and your applications, please contact us!

Share post