Open Source is nothing else than free, unpaid software made available by programmers who create it. The idea comes from the end of XX century. By assumption, the Open Source software was to be created by cooperating programmers as a counterbalance for Closed Source software by distributing the base in the form of basic code free of charge for development in the sphere of science, education, law, production and many others. Open Source software products are designed to provide relatively inexpensive, user-friendly software that can be easily adapted to ones needs. Among the advantages of Open Source products are low initial costs, legality of such software, freedom to use and modify it according to user’s needs, development by a large community and faster detection and patching of vulnerabilities, free updates and faster software development. However, some of these advantages can turn into disadvantages. Development by a large community of programmers and a lack of vetting can result in people working on the program who want to introduce malware into the code. This means that Open Source software, on the one hand, is safe because of the large group of programmers working on it, but on the other hand, it can be dangerous for users for the same reason. Another disadvantage is the long-term costs of using Open Source software. These arise from situations where an immediate response to changes in the software is required and the need to call in a specialist in this area. In addition, the implementation of such software may entail the need to train employees in its use, which can also generate costs.
In mid-December 2021, a significant vulnerability was discovered in the security features of the Open Source Apache Log4 library, which was rated 10 on a 10-point criticality scale. Apache Log4 is a library for recording event logs by Java applications. It contains a mechanism allowing to search for requests using a special syntax without verification. The vulnerability is serious enough to allow cybercriminals to take control of a system very easily. It has already been exploited for attacks using malicious software to ‘mine’ cryptocurrencies. However, it is estimated that this vulnerability has been or will be exploited to attack the system by more malicious programs.
There are many ways to protect against attacks on Open Source. The simplest way is to have the newest version of the software, containing a patch that secures possible vulnerabilities. Such a solution is suggested as the first action in the case of the previously mentioned Apache Log4 vulnerability. Another way is for those responsible for the security of the company’s systems to keep track of all suspicious activity. Companies should also use software that prevents vulnerabilities in open source software from being exploited against them. In addition to this, it is also important to make regular backups, be cautious when using the Internet, regularly scan the device with anti-virus software, use two-factor authentication and use unique passwords for different sites.
Each Open Source software has a licence for use from its creators, but it is a free licence, which means that it is not necessary to grant a separate licence to each individual user. The first problem with licences for Open Source software arises already on the grounds of the law applicable to the agreement. Polish law will be applicable to a licence which has been issued by a Polish entity. Another problematic issue is the application of the so-called cross-licence in the case of licences for Open Source software. A cross-licence consists in a mutual granting of a licence for basic software by its creator to a user, and for modified software by the user to the creator of the basic software. Both these licences are royalty-free. The issue of termination of an Open Source software licence is also controversial, as some provisions of the licence contravene Polish law. Theoretically, the license for open source software cannot be terminated, because it is free and perpetual. However, there are cases when the license may be terminated: by violation of any provision of the license by the licensee or by termination under Art. 3651 of the Polish Civil Code, which is contrary to the provisions of the licence and invalid under applicable law. However, there is currently no legal solution for termination of licences.
In connection with the mentioned vulnerability in Apache Log4, the federal bodies of the US government have taken action. The White House decided to organise a meeting on 13 January 2022 with representatives of the largest American corporations such as Apple Inc., Meta Platforms Inc., Microsoft Corp. and specialists from organisations developing open source software such as Linux Open Source Foundation, Oracle and Apache Software Foundation. The meeting was aimed primarily at developing practical ways to improve security standards for Open Source software through cooperation between the public and private sectors and support for Open Source software developers, and to determine what actions can be taken to prevent dangerous situations in the future.
Sources: