Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About

Trending Topics

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni

    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor & Employment
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations

    Industries

    View All

    • Cannabis
    • Consumer
    • Energy
    • Entertainment
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Non Profit
    • Real Estate
    • Technology

    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    1. Home
    2. Insights
    3. Articles
    4. Study shows that open source software development does not ensure quick security fixesArticles

    Article

    Study shows that open source software development does not ensure quick security fixes

    Dec 10, 2020

    Share
    A report found that code vulnerabilities in open source programs go undetected for an average of four years. Companies who rely solely on the public to troubleshoot their code may be opening themselves up to a risk of harm.

    In recent years, “open source” software development has become an increasingly popular practice for technology companies. By making source code available to the general public with relaxed (or non-existent) restrictions on how it can be used or modified, open source software can increase customer and developer usage, build customer loyalty, and help develop high-quality products while keeping development costs low.

    Many companies also believe that the open source model promotes better quality control, as developers and users are able to “look under the hood” and diagnose code errors, bugs, and needed improvements with ease. In fact, the reputation of open source technology as an error-correction method is so established that it has spurred an internet “law” known as “Linus’s Law”: “Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix obvious to someone.” In other words, the more eyeballs look at a problem, the more likely an efficient and effective solution will be found. By implementing open source development, the theory goes, companies will maximize the number of eyeballs, and therefore create the safest and best product possible. In contrast, with a closed development system, code is not publicly available, and companies must rely solely on their internal development system to catch and repair coding problems.

    But is open source development’s reputation as a bug-buster deserved? A December 2020 report by GitHub, a Microsoft software development subsidiary (and the Internet’s largest host for open source project infrastructure) suggests otherwise. In 2020, over 56 million developers used GitHub, with over 60 million new data repositories being created and over 1.9 billion edits made. Of those, 94% of all GitHub projects relied on open source technology. Noting the significant expansion of open source technology into high-security markets including banking and health care, GitHub decided to look at whether its reputation for error-correction was deserved.

    What GitHub found was that, on average, code vulnerabilities in open source programs go undetected for an average of four years before they are located—even with the public’s eyeballs looking for them. While 83% of these errors were not considered malicious, 17% were considered harmful, opening the software to backdoor penetration and the potential for remote computer access, access to plaintext in cryptographic systems, and the ability to access, transfer, or modify privileged information like passwords and user data. In other words, Linus’s Law has a significant blind spot—while public users and developers have the capability of locating errors with open source code, there is no guarantee that the errors will be caught in any sort of timely manner. With nearly 1 in 5 errors considered harmful, companies who rely solely on the public to troubleshoot their code may be opening themselves up to a high, serious, and extended risk of harm.

    GitHub’s report provides an important reminder that while the open source community can help patrol for software issues, it is not a replacement for traditional controls. Companies must still ensure there is vigorous internal error testing and proper development protocols utilized both before and after a new product launches. While the development community at large has an interest in promoting the security of open source software, companies must first and foremost take responsibility for their data security themselves.

    PrivacyCybersecurityPrivacyData Breach

    Practices

    Cybersecurity & Privacy

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • © 2023 Nixon Peabody. All rights reserved
    • Privacy Policy
    • Terms of Use
    • Statement of Client Rights
    • Supplier Diversity Program
    • Nixon Peabody International LLC
    • PAL