CYBERSECURITY PADAWAN

Free Open-Source Software (FOSS) is a software category that incorporates computer programs that are freely licensed and open-source. In essence, FOSS software is free to download, use, modify or study. This article will focus on the major differences between FOSS and OSS (Open-Source Software), applicability, and the various security vulnerabilities associated with this type of software. Enjoy!

About Free Open-Source Software

In common parlance, FOSS and OSS are, at times, regarded as being synonymous if not identical. However, this is not the case; FOSS leans more on the ethical implications of software usage, distribution, and alteration, while OSS focuses heavily on the utilitarian aspects of sharing and allowing community members to alter the (original) source code. To understand these implications, we have to go back in time; to the early ‘80s to be more specific.

In 1983, Richard Stallman, an MIT graduate, and computer software activist sets in motion a plan to bring software closer to the user. Stallman and his community of programmers strongly advocated for the user’s (inalienable) right to freely use, modify, and share code, rights as he saw as having been invalidated by the fast-growing computer industry.

His initiative led to the creation of the GNU Project, the Free Software Foundation (FSF), and, of course, the GNU Manifesto. The work of Stallman’s community would later inspire Linus Torvalds to create the modular and monolithic Linux kernel.

FOSS (Free Open-Source Software) vs. OSS (Open-Source Software) vs. CSS (Closed-Source Software)

As you can see, FOSS is deeply-rooted in computer software history, its genesis being largely an all-front rection to how software developers licensed and ‘packaged’ their products. Why is this history lesson essential? Mostly because we can now figure out what the “F” in “FOSS” stands for – and it’s not for free, as in no cost. It refers to the fact, that you, as a user, are free to copy, use, modify or study the software without having to worry about copyright laws. So, we’ve established the following facts:

  • FOSS software’s not cost-free.
  • The user is free to operate changes and even share these changes with the community.
  • FOSS has a strong ethical component.
  • Linux and many UNIX-like Operating Systems can be considered prime examples of FOSS.

And now the million-dollar question: can FOSS be OSS? Or, better yet, are there any differences between Free Open-Source Software and Open-Source Software? Technically, no, but legally yes. As far as OSS goes, any type of computer program belonging to this category can be shared among the members of the community, who can alter the source code and even monetize the improved version.

Awfully similar to FOSS, wouldn’t you say? There’s just one issue here – the licensing agreement. All Open-Source Software is bound to a licensing agreement that dictates what the user can and can’t do to the software itself and, of course, the source code. For instance, some OSS developers might allow the user to alter the source code, but prohibit him from distributing or selling the altered version.

On the other hand, other devs may turn a blind eye to you altering, distributing, or monetizing the source code, but may charge you for it. There are many combinations, all of them revolving, of course, around the licensing agreement. So, some OSS can FOSS, but not all FOSS can be OSS – makes sense, right?

Now, the best place to get additional info on software, regardless if it’s listed under FOSS, OSS, or anything in between, is the Free Software Directory, one of the biggest and probably oldest FOSS repositories (over 15,000 projects and GNU packages). Be sure to check them out for software downloads, history lessons, and trinkets.

FOSS is not just about waxing philosophy; it also has a practicality about and a very specific goal – enriching knowledge while delivering a product that better serves the community what better way to do so than through collaboration. FOSS and OSS both are powered by the community.

We’ll talk more about this aspect in the upcoming section dedicated to FOSS-specific security vulnerabilities. Anyway, to make a long story short, there are both advantages and disadvantages to community-driven software RDI (Research, Development, and Improvement). To name a few, we have bug removal and tracking – since code’s readily available, it’s easier to spot & remove software bugs compared to CSS (we’ll get to that in a second). There’s also the matter of education: both OSS and FOSS stimulate learning and innovation.

Now that we have a pretty clear picture of what FOSS and OSS are, let’s talk about CSS. Short for Closed-Source Software, this software category, as its name suggests, does not allow the user to modify or in any way tamper with its source code.

CSS can only be used to perform the intended functions all of which are defined under the licensing agreement. Oh, yes – all CSS are pay-to-use. Microsoft’s Windows is a good example of CSS – the source code is known only to those directly involved in the product’s development and you’re required to abide by the licensing agreement in order to use the product. So, not much room for maneuvers here.

After establishing the differences between FOSS, OSS, and CSS, let’s now focus our attention on security.

FOSS Software – Security Issues and Limitations

First, I think it would only be fair to talk about the elephant in the room – the code’s availability. Since the source code is part of the ‘public’ domain, this means anyone can have a stab at it, including hackers. What this amounts to is that applications developed in an OSS fashion may be more susceptible to exploitation compared to proprietary software. Truth or simply a myth? Somewhere in between. According to the paper “Is Open-Source Software More Secure?” by Russell Clarke and David Dorwin of the Department of Homeland Security

(…) open-source does not pose any significant barriers to security, but rather reinforces sound security practices by involving many people that expose bugs quickly, and offers side-effects that provide customers and the community with concrete examples of reusable, secure, and working code.

What this means is that, in terms of security, there’s no contest between open-source and closed-source; each has vulnerabilities that may or may not be exploited by threat actors who are generally motivated by the (potential) economic gains. So, from a security standpoint, there’s no data to support the fact that closed-source-based software is more secure compared to open-source or vice-versa.

Still, there are some things FOSS and OSS are better at than proprietary software. Since this is a community thing, tracking down a vulnerability is easier and more efficient. Think about it for a second – which is better? A hive-like community, with everyone chipping in to identify a bug or a small and small ‘enclosure’ with a handful of people? There’s strength in their numbers and in peer reviews.

And because we’re on the topic of OSS and FOSS Software vulnerabilities, here’s a couple of them:

  • Decompress

Decompress is an OSS that made WinRAR look like an advanced math class. However, a couple of years ago, decompress was found to harbor a pretty nasty Arbitrary File Write vulnerability that would’ve enabled threat actors to write to system folders.

  • XStream

XStream’s a pretty useful gimmick used for Java to XML serialization. A while back, it was discovered that the versions before 1.14.44 were susceptible to RCE (Remote Code Execution).

  • PyYAML

We all know and love Python and PyYAML is a great OSS project used for parsing and other jobs. Still, it wasn’t without issues. Security researchers discovered that versions below 5.3.1 were vulnerable to RCE just like XStream.

Parting Thoughts

To conclude this article on FOSS Software, let’s go through the facts one last time. Free Open-Source Software is not free, as in costless. The “Free” stands for the right to use that software for more than its intended purpose. Also, there’s no evidence to suggest that open-source is more secure than proprietary software – each has strengths and weaknesses. As always, stay tuned for awesome content, subscribe, and stay safe!

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

The ‘Trojan Source’ Attack Method Allows the Injection of Vulnerabilities Into Open-Source Code

Asset Tracking Software: What Is It and How Does It Work?

Ten Open-Source EDR Tools to Enhance Your Cyber-Resilience Factor

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP