Considerations about open source and security

This post summarises a larger one (by Maria Teresa Delgado and Gaël Blondelle; ECL) that has been published on OpencCert’s website regarding the security aspects to take into account in open source software (OSS) in general and in the AMASS Tool Platform in particular.

As AMASS is addressing a wide universe of application areas (i.e. automotive, railway, aerospace, space, and energy) while implementing an open collaboration model to develop its technology solutions, it is not surprising that the community would express its concern on the security aspects and the openness of the AMASS Tool Platform. But no worries! Security and openness are two orthogonal issues and the AMASS Open Tool Platform is certainly not a liability for the development of CPS.

No direct relationship between open source and security. It is true that The OSS movement was not designed with security in mind, but also that the OSS community do believe that opening their code up for inspection will increase protection against bugs. When analysing security aspects in open source vs. closed source software, no significant differences in the severity of vulnerabilities have been found.

Closed source solutions are not necessarily more secure. The openness in OSS makes it easier for both the good and the bad guys to find vulnerabilities in the code, since it is available for anyone to review (and to fix!). However, closed models implementing a “security through obscurity” approach are not necessarily better. Security is a holistic concept not only depending on the final result, but also linked to the creation and maintenance process, and open source has the potential to be better than closed source software in terms of security vulnerabilities being available for public scrutiny.

Projection in the AMASS context. AMASS project partners and early adopters agree that security is crucial in all tools, systems and platforms, and of course AMASS results are no exception. On the one hand, the Eclipse Development Process already covers the traceability of the code published for the AMASS tool platform. On the other hand, he AMASS open platform is supposed to be embedded in a larger environment, - either a proprietary product, or a specific deployment by a large organisation- where additional measures can be integrated to ensure the security of the platform.

AMASS is about tools for assurance and certification processes that can be used in several domains to improve system engineering efficiency, but AMASS is not a CPS core component, and thus the AMASS tool platform by itself is not a liability for the development of CPS. The AMASS open platform is deployed in the context of a global certification and assurance process that should consider the security risks related to the tools in order to effectively mitigate them.