Election Security Spotlight – Open Source Products

What are Open Source Products?

Open source products are applications and software that have their underlying code (the building blocks of the product) publicly available, and are typically offered at no cost. A common example of open source software is the Linux operating system. Open source products can be built by one person, or by a community of developers working together. A key difference between “free” and “open source” is the level of access to the building blocks. Social media applications like Twitter and Facebook are free to use, but their building blocks are not made public. An operating system like Linux is both free and open source – anyone can view the lines of code that are used to run it and can modify it. The use of open source code is usually governed by a license.

Why it matters

Many of these open source products are secure, widely used, and can fill an organization’s needs. There are open source solutions for most of an organization’s technological needs. Open source software for maintaining a website, creating text documents, building a database, or securing your network, is freely available and can be used by any organization. Some proprietary products that cost money contain open source code as part of their foundation. Additionally, many vendors work with open source products, charging to deploy, manage, and customize them. In these cases, you’re usually paying for the services that go along with open source software and not the software itself

Advantages of open source

• The ability for anyone to review and provide modifications to the product’s code allows for quicker discovery and patching of security vulnerabilities.
  • This also increases the odds that someone would catch an attempt to tamper with the software, though it is not a guarantee.
• The ability to download many open source products for free can help an organization with limited resources.
• Open source products may have greater compatibility (ex: the ability to work on any operating system such as Linux, Windows, and MacOS) than some proprietary products.

Additional factors to consider

• Open source products may not come fully functional “out of the box” compared to proprietary competitors, and may require an investment of time to complete the setup and maintain over time.
  • Unless provided through a separate service, these products often do not have 24×7 support you can rely on – you would have to address any issues that arise on your own or contract for it.
• Many open source products are short-term hobby projects and do not get extended support but still remain available on the internet after their developers move on.
  • This could result in exploitable vulnerabilities remaining undiscovered, or unpatched.
  • In some cases, no one person or organization has control over the source code and therefore the user would not have any assurances of the reliability and security of the code.
  • The licenses of certain software could limit its allowed use, such as for educational or non-commercial purposes.

What you can do if you do not have an IT department

• Maintain a list of which products in your environment are open source.
  • This includes knowing what open source software is used in proprietary platforms you have acquired and ensuring vendors keep those components up-to-date.
  • This is part of CIS Controls® 1 and 2 (create an inventory of hardware and software) which can help reduce the risk of a compromise.
• Only download software from legitimate and verified websites and organizations.
  • Software downloaded from illegal websites or unverified sources is more likely to be malware disguised as a free product. Alternatively, legitimate software is more likely to have been modified, resulting in a malware infection or system compromise.
  • Reach out to the EI-ISAC® ([[email protected]|[email protected]]) if you have a question on the legitimacy of software or a website.
  • Refer to the Center for Internet Security’s (CIS®) “Managing Cybersecurity Supply Chain Risks in Election Technology: A Guide for Election Technology Providers.”
• Include open source products in your patch management program to prevent malicious actors from exploiting known vulnerabilities.
• Take the same steps for evaluating and incorporating open source software into your organization that you would take for any software you would procure.
  • Refer to CIS’ “A Guide for Ensuring Security in Election Technology Procurements.”

What you can do if you have an IT department

• Reach out and ask for a list of what products being used are open source, and if they have a policy about downloading and using open source products.

—
Spotlights provide election officials with an overview of common cybersecurity topics, and how they relate to election infrastructure security. Please reach out to [email protected] to request a topic.