Google Git
Sign in
eclipse / gerrit / www.eclipse.org / opencert / ab763c0db19e2c84ad4e19a502f85884be15f5e2 / . / resources / security / index.html
blob: 1af5be8a248110cbf23a60ead2dfe8d877e5eda0 [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Considerations about open source and security | The Eclipse Foundation</title>
<meta property="og:title" content="Considerations about open source and security | The Eclipse Foundation" />
<meta name="twitter:title" content="Considerations about open source and security | The Eclipse Foundation" />
<meta name="description" content="By Maria Teresa Delgado and Gaël Blondelle - Eclipse Foundation Europe GmbH
Security and openness are two orthogonal issues and the AMASS Open Tool Platform is certainly not a liability for the development of CPS
">
<meta property="og:description" content="By Maria Teresa Delgado and Gaël Blondelle - Eclipse Foundation Europe GmbH
Security and openness are two orthogonal issues and the AMASS Open Tool Platform is certainly not a liability for the development of CPS
">
<meta name="twitter:description" content="By Maria Teresa Delgado and Gaël Blondelle - Eclipse Foundation Europe GmbH
Security and openness are two orthogonal issues and the AMASS Open Tool Platform is certainly not a liability for the …">
<meta name="author" content="Eclipse Foundation and the AMASS ECSEL project partners"/>
<link href='https://www.polarsys.org/opencert/images/logo_square.png' rel='icon' type='image/x-icon'/>
<meta property="og:image" content="https://www.polarsys.org/opencert/images/logo.png" />
<meta name="twitter:image" content="https://www.polarsys.org/opencert/images/logo.png" />
<meta name="twitter:card" content="summary" />
<meta name="twitter:site" content="@AMASSproject" />
<meta name="twitter:creator" content="@AMASSproject" />
<meta property="og:url" content="https://www.polarsys.org/opencert/resources/security/" />
<meta property="og:type" content="website" />
<meta property="og:site_name" content="OpenCert" />
<meta name="generator" content="Hugo 0.37.1" />
<link rel="canonical" href="https://www.polarsys.org/opencert/resources/security/" />
<link rel="alternate" href="https://www.polarsys.org/opencert/index.xml" type="application/rss+xml" title="OpenCert">
<link rel="stylesheet" href="https://eclipse.org/eclipse.org-common/themes/solstice/public/stylesheets/quicksilver.min.css">
<link href="//fonts.googleapis.com/css?family=Libre+Franklin:400,700,300,600,100" rel="stylesheet" type="text/css"/>
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-5WLCZXC');</script>
</head>
<body>
<a class="sr-only" href="#content">Skip to main content</a>
<header class="header-wrapper" id="header-wrapper">
<div class="clearfix toolbar-container-wrapper">
<div class="container">
<div class="text-right toolbar-row row hidden-print">
<div class="col-md-24 row-toolbar-col">
<ul class="list-inline">
<li><a href="https://accounts.eclipse.org/user/edit" class="" data-tab-destination="tab-profile"><i class="fa fa-edit fa-fw"></i> Edit my account</a></li>
</ul>
</div>
</div>
</div>
</div>
<div class="container">
<div class="row" id="header-row">
<div class="col-sm-5 col-md-4" id="header-left">
<div class="wrapper-logo-default">
<a title="OpenCert" href="https://www.polarsys.org/opencert/">
<img width="140" class="logo-eclipse-default img-responsive hidden-xs" src="https://www.polarsys.org/opencert/images/logo.png" alt="OpenCert" />
</a>
</div>
</div>
<div class="col-sm-4 col-md-5 text-right hidden-print hidden-xs pull-right margin-top-10" id="header-right">
<div id="btn-call-for-action"><a href="https://polarsys.org/opencert/downloads" class="btn btn-huge btn-warning"><i class="fa fa-download"></i> Download</a></div>
</div>
<div class="col-sm-15 col-md-15 reset margin-top-10" id="main-menu-wrapper">
<div class="navbar yamm" id="main-menu">
<div class="navbar-collapse collapse reset float-right" id="navbar-main-menu">
<ul class="nav navbar-nav">
<li>
<a class="" href="/opencert/">
Home
</a>
</li>
<li>
<a class="" href="/opencert/resources/">
Resources
</a>
</li>
<li>
<a class="" href="/opencert/community/">
Community
</a>
</li>
<li>
<a class="" href="/opencert/about/">
About
</a>
</li>
<li>
<a class="" href="/opencert/news/">
News
</a>
</li>
<li class="dropdown eclipse-more hidden-xs">
<a data-toggle="dropdown" class="dropdown-toggle" role="button">More<b class="caret"></b></a>
<ul class="dropdown-menu">
<li>
<div class="yamm-content">
<div class="row">
<ul class="col-sm-8 list-unstyled">
<li>
<p><strong>Community</strong></p>
</li>
<li><a href="http://marketplace.eclipse.org">Marketplace</a></li>
<li><a href="http://events.eclipse.org">Events</a></li>
<li><a href="http://www.planeteclipse.org/">Planet Eclipse</a></li>
<li><a href="https://www.eclipse.org/community/eclipse_newsletter/">Newsletter</a></li>
<li><a href="https://www.youtube.com/user/EclipseFdn">Videos</a></li>
<li><a href="https://blogs.eclipse.org">Blogs</a></li>
</ul>
<ul class="col-sm-8 list-unstyled">
<li>
<p><strong>Participate</strong></p>
</li>
<li><a href="https://bugs.eclipse.org/bugs/">Report a Bug</a></li>
<li><a href="https://www.eclipse.org/forums/">Forums</a></li>
<li><a href="https://www.eclipse.org/mail/">Mailing Lists</a></li>
<li><a href="https://wiki.eclipse.org/">Wiki</a></li>
<li><a href="https://wiki.eclipse.org/IRC">IRC</a></li>
</ul>
<ul class="col-sm-8 list-unstyled">
<li>
<p><strong>Eclipse IDE</strong></p>
</li>
<li><a href="https://www.eclipse.org/downloads">Download</a></li>
<li><a href="https://help.eclipse.org">Documentation</a></li>
<li><a href="https://www.eclipse.org/getting_started">Getting Started / Support</a></li>
<li><a href="https://www.eclipse.org/contribute/">How to Contribute</a></li>
<li><a href="https://www.eclipse.org/ide/">IDE and Tools</a></li>
<li><a href="https://www.eclipse.org/forums/index.php/f/89/">Newcomer Forum</a></li>
</ul>
</div>
</div>
</li>
</ul>
</li>
</ul>
</div>
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#navbar-main-menu">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<div class="wrapper-logo-mobile">
<a class="navbar-brand visible-xs" title="OpenCert" href="https://www.polarsys.org/opencert/">
<img width="140" class="logo-eclipse-default-mobile img-responsive" src="https://www.polarsys.org/opencert/images/logo.png" alt="OpenCert" />
</a>
</div>
</div>
</div>
</div>
</div>
</div>
</header>
<section class="default-breadcrumbs hidden-print" id="breadcrumb">
<div class="container">
<h3 class="sr-only">Breadcrumbs</h3>
<div class="row">
<div class="col-sm-24">
<ol class="breadcrumb">
<li>
<a href="https://www.polarsys.org/opencert/">OpenCert</a>
</li>
<li>
<a href="https://www.polarsys.org/opencert/resources/">Resources</a>
</li>
<li class="active">
<a href="https://www.polarsys.org/opencert/resources/security/">Considerations about open source and security</a>
</li>
</ol>
</div>
</div>
</section>
<main>
<div class="container">
<div class="row">
<div class="col-md-18 padding-bottom-30">
<h1>Considerations about open source and security</h1>
<p>By Maria Teresa Delgado and Gaël Blondelle - Eclipse Foundation Europe GmbH</p>
<p>Security and openness are two orthogonal issues and the AMASS Open Tool Platform is certainly not a liability for the development of CPS
</p>
<p><a href="http://www.amass-ecsel.eu">AMASS</a> (Architecture-driven, Multi-concern and Seamless Assurance and Certification of Cyber-Physical Systems) is an EU-funded project that has created and consolidated a de-facto European Open Tool Platform, ecosystem, and community for assurance and certification of Cyber-Physical Systems (CPS). The tools provided by the AMASS open platform leverage both existing open source components, and new open source components that are published to the community, under an open collaborative model. The resulting open source ecosystem and community are managed as an <a href="https://www.polarsys.org/opencert/">Eclipse project</a> hosted by the <a href="https://www.eclipse.org/">Eclipse Foundation</a>.
As AMASS is addressing a wide universe of application areas (i.e. automotive, railway, aerospace, space, and energy) while implementing an open collaboration model to develop its technology solutions, it is not surprising that the community would express its concern on the platform security aspects and its openness.
But no worries! As you will learn after reading this article, security and openness are two orthogonal issues and the AMASS Open Tool Platform is certainly not a liability for the development of CPS.</p>
<p>
<img src="../../images/bernard-hermant-590572-unsplash_camera.png" class="img-responsive" alt="Close look @ camera">
</p>
<h2 id="no-direct-relationship-between-open-source-and-security">No direct relationship between Open source and security</h2>
<p><a href="https://opensource.org/osd-annotated">Open Source (OS)</a> implies that source code is distributed under a license in which the copyright holder grants the users the power to access, modify and re-distribute the software to anyone and for any purpose. Nowadays, <a href="https://resources.whitesourcesoftware.com/white-papers/the-complete-guide-on-open-source-security">OS components are the core building blocks of application software</a>, providing developers with an ever-growing offer of off-the-shelf possibilities that they can use for assembling their products faster and more efficiently.</p>
<p>The OSS movement was not designed with security in mind, <strong>OSS is all about open collaboration and open innovation</strong>. However, the Linus’ law in Open Source states that: “given enough eyeballs, all bugs are shallow.” And the OS community do believe that opening their code up for inspection will increase protection against bugs — and often improve code trust. Nonetheless, <a href="http://resources.whitesourcesoftware.com/white-papers/the-complete-guide-on-open-source-security">OSS community has evolved</a>, and the vast majority of users are now downloading OS resources without actually reviewing the source code itself, meaning that the number of users is far greater than the number of eyeballs. Thus, having the source code available for scrutiny could be either a good or a bad thing, depending on the size of the community and the user perspective.</p>
<p>Others have studied the correlation between security and open source in a more structured way. <a href="https://aisel.aisnet.org/amcis2009/387">Schryen</a> performed a thorough literature review on security aspects in open source vs. closed source software, concluding <strong>that the discussion is often biased</strong> depending on the preferences of development styles, and the lack of appropriate metrics, a common methodology and hard data. Schryen’s work analyses and compares published vulnerabilities (software bugs that can be used by attackers to gain access to a system or network are commonly referred to as vulnerabilities according to the <a href="https://www.mitre.org/">U.S. MITRE corporation</a>) of a set of open and close source software packages, all of which are widely deployed. His investigation reveals that <strong>no significant differences in the severity of vulnerabilities were found between open source and closed source software</strong>.</p>
<h2 id="closed-source-solutions-are-not-necessarily-more-secure">Closed source solutions are not necessarily more secure</h2>
<p>Security wise, the main concern remains the surface of exposure of software code: all the different points where an unauthorized party could try to inject or extract data. The openness in OSS makes it easier for both the good and the bad guys to find vulnerabilities in the code, since it is available for anyone to review (and to fix!).</p>
<p>However, closed models implementing a <strong>“security through obscurity” approach are not necessarily better</strong>. Security is a holistic concept not only depending on the final result, but also linked to the creation and maintenance process, and <strong>open source has the potential to be better than closed source</strong> software in terms of security vulnerabilities being available for public scrutiny and fixes. But <strong><a href="https://www.securityfocus.com/news/19">simply being open is not a guarantee of security</a></strong>; over the past years a few examples have made this clear for the OSS community: (a) the <strong><a href="http://heartbleed.com/">Heartbleed bug</a></strong>, which put the spotlight on OpenSSL, the security toolkit used by many of the internet&rsquo;s largest sites, maintained primarily by <a href="https://www.buzzfeed.com/chrisstokelwalker/the-internet-is-being-protected-by-two-guys-named-st">two men who have never met in person</a>, (b) the <strong><a href="https://arstechnica.com/information-technology/2017/09/massive-equifax-breach-caused-by-failure-to-patch-two-month-old-bug/">Equifax breach</a></strong> that exposed sensitive data for as many as 143 million U.S. consumers, accomplished by exploiting a web application vulnerability that had been <a href="https://blogs.wsj.com/cio/2018/12/11/the-morning-download-house-equifax-report-cites-faulty-it-structure/">patched more than two months earlier</a>, and (c) the <strong><a href="https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/">Apache Struts 2 flaw</a></strong> uncovered recently, which promises to be even more critical than the Equifax Bug, a remote code-execution vulnerability in the popular open-source framework for developing web applications in the Java programming language which could lead to full endpoint and network compromise.</p>
<p>On the other side, if you need to think about security breaches in proprietary solutions or closed source software, just think about the <strong>Microsoft security breaches that we were never told about</strong>, and you should be good to go, for example: that time when <a href="https://www.reuters.com/article/us-microsoft-cyber-insight/exclusive-microsoft-responded-quietly-after-detecting-secret-database-hack-in-2013-idUSKBN1CM0D0">Microsoft responded quietly</a> to a detected secret database hack in 2013. Security in the 21st century has proven to have suffered enough <a href="https://www.csoonline.com/article/2130877/data-breach/the-biggest-data-breaches-of-the-21st-century.html">breaches</a> both in the open and closed software worlds.</p>
<h2 id="projection-in-the-amass-context">Projection in the AMASS context</h2>
<p>AMASS project partners and early adopters agree that security is crucial in all tools, systems and platforms, and of course AMASS results are no exception. However, we have made clear <strong>that security and openness are two orthogonal issues</strong> and we support the idea that <strong>OSS is potentially better -security wise-</strong> due to the public availability of source code.</p>
<p>In the context of the Eclipse ecosystem, some specific efforts are already in place to reinforce the security of the AMASS open platform. <strong>Eclipse Development Process (EDP)</strong> already covers the <strong>traceability of the code published</strong> in open source, checked by the Eclipse IP process that tracks the provenance of each contribution as well as the provenance of each dependency recursively. Also, EDP requires that the binaries are signed during the release process.</p>
<p>Moreover, the AMASS open platform is supposed to be embedded in a larger environment, - either a proprietary product, or a specific deployment by a large organisation- where additional measures can be integrated to ensure the security of the platform.</p>
<p>AMASS is about tools for assurance and certification processes that can be used in several domains to improve system efficiency, but AMASS is not a CPS core component, and thus the <strong>AMASS tool platform by itself is not a liability for the development of CPS</strong>. The AMASS open platform is deployed in the context of a global certification and assurance process that should consider the security risks related to the tools in order to effectively mitigate them.</p>
</div>
<div class="col-md-6 padding-bottom-30">
</div>
</div>
</div>
</main>
<p id="back-to-top">
<a class="visible-xs" href="#top">Back to the top</a>
</p>
<footer id="solstice-footer">
<div class="container">
<div class="row">
<section class="col-sm-6 hidden-print" id="footer-eclipse-foundation">
<h2 class="section-title">Eclipse Foundation</h2>
<ul class="nav">
<li><a href="https://www.eclipse.org/org/">About Us</a></li>
<li><a href="https://www.eclipse.org/org/foundation/contact.php">Contact Us</a></li>
<li><a href="https://www.eclipse.org/donate">Donate</a></li>
<li><a href="https://www.eclipse.org/org/documents/">Governance</a></li>
<li><a href="https://www.eclipse.org/artwork/">Logo and Artwork</a></li>
<li><a href="https://www.eclipse.org/org/foundation/directors.php">Board of Directors</a></li>
</ul>
</section>
<section class="col-sm-6 hidden-print" id="footer-legal">
<h2 class="section-title">Legal</h2>
<ul class="nav">
<li><a href="https://www.eclipse.org/legal/privacy.php">Privacy Policy</a></li>
<li><a href="https://www.eclipse.org/legal/termsofuse.php">Terms of Use</a></li>
<li><a href="https://www.eclipse.org/legal/copyright.php">Copyright Agent</a></li>
<li><a href="https://www.eclipse.org/legal/epl-2.0/">Eclipse Public License</a></li>
<li><a href="https://www.eclipse.org/legal/">Legal Resources </a></li>
</ul>
</section>
<section class="col-sm-6 hidden-print" id="footer-useful-links">
<h2 class="section-title">Useful Links</h2>
<ul class="nav">
<li><a href="https://bugs.eclipse.org/bugs/">Report a Bug</a></li>
<li><a href="//help.eclipse.org/">Documentation</a></li>
<li><a href="https://www.eclipse.org/contribute/">How to Contribute</a></li>
<li><a href="https://www.eclipse.org/mail/">Mailing Lists</a></li>
<li><a href="https://www.eclipse.org/forums/">Forums</a></li>
<li><a href="//marketplace.eclipse.org">Marketplace</a></li>
</ul>
</section>
<section class="col-sm-6 hidden-print" id="footer-other">
<h2 class="section-title">Other</h2>
<ul class="nav">
<li><a href="https://www.eclipse.org/ide/">IDE and Tools</a></li>
<li><a href="https://www.eclipse.org/projects">Community of Projects</a></li>
<li><a href="https://www.eclipse.org/org/workinggroups/">Working Groups</a></li>
<li><a href="https://www.eclipse.org/org/research/">Research@Eclipse</a></li>
<li><a href="https://status.eclipse.org">Service Status</a></li>
</ul>
</section>
<div class="col-sm-24 margin-top-20">
<div class="row">
<div id="copyright" class="col-md-16">
<p id="copyright-text">Copyright &copy; Eclipse Foundation, Inc. All Rights Reserved.</p>
</div>
<div class="col-md-8 social-media">
<ul class="list-inline">
<li>
<a class="social-media-link fa-stack fa-lg" href="https://twitter.com/EclipseFdn">
<i class="fa fa-circle-thin fa-stack-2x"></i>
<i class="fa fa-twitter fa-stack-1x"></i>
</a>
</li>
<li>
<a class="social-media-link fa-stack fa-lg" href="https://plus.google.com/+Eclipse">
<i class="fa fa-circle-thin fa-stack-2x"></i>
<i class="fa fa-google-plus fa-stack-1x"></i>
</a>
</li>
<li>
<a class="social-media-link fa-stack fa-lg" href="https://www.facebook.com/eclipse.org">
<i class="fa fa-circle-thin fa-stack-2x"></i>
<i class="fa fa-facebook fa-stack-1x"></i>
</a>
</li>
<li>
<a class="social-media-link fa-stack fa-lg" href="https://www.youtube.com/user/EclipseFdn">
<i class="fa fa-circle-thin fa-stack-2x"></i>
<i class="fa fa-youtube fa-stack-1x"></i>
</a>
</li>
<li>
<a class="social-media-link fa-stack fa-lg" href="https://www.linkedin.com/company/eclipse-foundation">
<i class="fa fa-circle-thin fa-stack-2x"></i>
<i class="fa fa-linkedin fa-stack-1x"></i>
</a>
</li>
</ul>
</div>
</div>
</div>
<a href="#" class="scrollup">Back to the top</a>
</div>
</div>
</footer>
<script src="https://www.eclipse.org/eclipse.org-common/themes/solstice/public/javascript/main.min.js"></script>
</body>
</html>
</body>
</html>