Surprisingly Canadian Government attacks open source software.
The Canadian government primarily recommends open source software (OSS) and only admits closed source software is an option if your use case demands it.
The Application Architecture section of The Directive on Management of Information Technology may now be archived but the government’s position is still clear:
C.2.3.8 Use Open Standards and Solutions by Default
C.2.3.8.1 Where possible, use open standards and open source software first
While the Guide for Using Open Source Software reiterates their preference for open source software, the Canadian Centre for Cyber Security (CCCS) recently published Security Considerations When Using Open Source Software (ITSAP.10.059). No software recommendation can be as simple as open vs closed source, there are a host of other factors that must be considered when making these decisions, including software security, author fallibility, and total cost of ownership.
The article states “while OSS can be convenient, using it can introduce vulnerabilities and security risks to your organization.” This is obviously also true of closed source software as it gets scrutinized by far fewer eyes making it much easier to hide backdoors.
It goes on to say that “due to the nature of publicly available OSS, anyone can make changes to existing open source code.” Just because anyone can make changes to OSS that doesn’t mean those changes will be accepted without a public code review. It is far more likely that your changes to the code won’t make it to end users. One gets the feeling that the author is ignorant of the basics of open source code development and Git Branch security in general.
Risks
A quick look at the risks section does not inspire much confidence in the document:
Excessive access: Open access means the code is available to all, which creates opportunities for cyber threat actors to manipulate code maliciously. Using OSS can give threat actors opportunities to gain access to your networks and information.
Arguably the first risk should be their best argument but instead it builds upon the earlier erroneous assertion about unscrutinized acceptance of code changes. First, one needs to become a collaborator on a major project, which is fairly prestigious and difficult to do. Second, one must comply with the project’s branch protection rules so contributors are limited to their own branches. Assuming you make it this far, your code will still be reviewed before it ever makes it to the main branch, let alone be pushed out to end users in major distros.
Lack of verification: There are no guarantees that qualified experts conduct proper testing and quality assurance throughout the development of OSS, or that those who review the code thoroughly check its security. This lack of verification can make your IT infrastructure vulnerable.
This may be the case for open source software but that doesn’t mean it isn’t also true of closed source. I suspect a vast amount of closed software does not get reviewed. One needs only look at all the coverage about Zoom lately to realize that their closed source software was not well reviewed. The reality is all software is equally vulnerable. This is not an argument against open source but rather software in general.
Lack of support: Most OSS does not have dedicated support. Without a support team, updates and security patches may not be available. If vulnerabilities are discovered in the software, cyber threat actors can exploit these vulnerabilities to gain access to your organization’s network, systems, and information. Keep in mind that it is the responsibility of the project community that is maintaining the OSS to report and patch any known vulnerabilities.
This statement is inaccurate - all OSS can be supported, whether you hire a developer to do so or the project has a dedicated support team. On the flipside, check out all the Zero Day exploits for closed source software. You are powerless to fix these issues yourself as you are at the vendor’s mercy for a workaround and, eventually, a patch. Sometimes vendors decide not to patch bugs at all or take years to do so. Certainly this isn’t the obvious better option.
The government’s generic arguments for and against closed and open source software are not compelling. They really don’t make a strong case for the use of either. Though they once recommended using open source software, the government is rightly concerned with security. Unfortunately their “Security Considerations When Using Open Source Software” document attacks open source software unjustly, often arguing that OSS’ pros are actually cons. It seems the author is unnecessarily biased, but regardless, the real argument should be that all software needs heavy scrutiny by both it’s authors and users. You need to find the holes before the hackers do.