Protect your source, keep it open
The importance of securing your application to secure your reputation
By Jaco Smit
Imagine this, you are on a business trip and suddenly that question pops up: ”Did I lock the back door of the house?”. You are sure you locked the front door, but can’t recall double checking the back door. Problem? Not really. Now this friendly neighbour comes in really handy. She is the only one with a key and can be trusted, after all it was you giving her that key. On top of that she knows where all the doors and locks are……. She knows where all the doors and locks are??? Off course, we hear you think, off course she knows where all the locks and doors are. Anybody can see where they are….. Really? Please, hold that thought.
The same situation, but now you rent an apartment in a building owned, built and managed by a stranger. He doesn’t let your neighbour or anybody else in to check the locks, or, even worst, doesn’t even let you check if there are any locks altogether. And if you ask for the blueprint of the building to see if there are any hidden doors to your apartment, the answer is a clear “NO”. You just have to trust him. “it is ok, I have my own people checking for holes in the security”. Would you trust him? Would you live there?
You would be surprised how many people answer this question with a yes. OK, maybe not when it comes to their living situation, but they do say yes to their applications that are built on the same principle as the above described apartment building. We are talking about closed “black box” applications versus the ones that are built using an “Open Source” code.
We are true believers in the Open Source philosophy, we are convinced that the open nature of our applications contributes more to security and data integrity than any “black box” application. For the simple fact that with a public source code we have to be sure that things are safe. We have a world full of people out there that can and will look at our application and it’s fundament. So we have to work better to be safe and “our” people in the field help us keeping it safe. We think this is the best guarantee for the security and integrity of your data. And, we are not alone in this:
“Vincent Rijmen, a developer of the winning Advanced Encryption Standard (AES) encryption algorithm, believes that the open source nature of Linux provides a superior vehicle to making security vulnerabilities easier to spot and fix, “Not only because more people can look at it, but, more importantly, because the model forces people to write more clear code, and to adhere to standards. This in turn facilitates security review”
“Linus’ Law” (named after Linus Torvalds, the creator of Linux) says that, “given enough eyeballs, all bugs are shallow.” What that means is that the larger the group of developers and testers working on a set of code, the more likely any flaws will be caught and fixed quickly. This, in other words, is essentially the polar opposite of the “security through obscurity” argument.
With “black box” applications we simply have to trust the creators and their skills. They keep their cards close to their chests and let no one in on their source code. On the one hand that makes it a much bigger challenge for hackers to get in. (Imagine the fame when hacking Microsoft Dynamics) on the other hand it also limits the number of people “testing” the application. Basically the only ones with access to the source code are those who live within the walls of the vendor, and are paid by this vendor. To use the housing analogy, only the owner knows where the doors are and he keeps the keys. With an Open Source application we have an abundant number of “independent related minds” that help us to improve and secure our application. Another element is speed, the reaction time of “black box” vendors can be sluggish, simply because of their company structure. With Open Source application the patches often come straight from the users and believers.
“A good example of reaction time was with a Linux kernel flaw On Saturday 9, February an exploit was made public that allowed a local unprivileged user to gain root privileges on some Linux kernels (CVE-2008-0600). Within a few hours of it being reported to the kernel mailing list, on 10 February, patches were being exchanged and tested. Later the same day the patches were committed and a new upstream kernel version was released,” says Mark Cox (Leader of the Red Hat Security Response Team).
There is no news if we tell you that security and data integrity are a hot topic, With the confessions of Mr Snowden on the activities of the NSA (National Security Agency) this topic has exploded in the media. And, given the shock it caused, we expect it will continue to explode in the near future. As a result security and data integrity has become a top priority in the board room of all major companies. But is it a topic in your company? Are your applications secure enough? Or do you think that the information stored in your databases is not important enough? We cannot judge that. But we want to make you aware of another thing. Social Responsibility.
Until recently we were worried about companies, individuals and even governments “spying” on us, actively and illegally searching for our company information. This could be recipes, information on prototypes, credit cards, what have you. This mostly was the concern of the big companies.
Are you aware of how much data you are storing from other companies and individuals in? This could be basic address data or revenue data up to personal data like bank accounts, phone numbers, credit cards, etc. There is a 99,99% chance that you are storing this information, be it in a specific application like book keeping or a in a spreadsheet.
Things have changed. We think that nowadays companies have a bigger responsibility then to only protect their own data. The privacy of individuals is at stake. You should be aware that if somebody enters your system, the information of your customers, suppliers and even employees can be made public.. That in turn can damage the reputation of your company severely. Wether your company has 5, 50, 500 or 50.000 employees, protecting people’s data has become also your social responsibility. We have to start thinking in another way. Now security and integrity is a priority for all companies.
3Special attention is needed if your company uses a Customer Relationship Management (CRM) application. If used in the proper way, you have created a huge repository of customer data. And we all know that with the likes of “Big Data” and Business Intelligence this data, or rather information, is worth a lot to others. Are you sure that your application is secure? Are you using an Open Source based application or a proprietary system? Don’t get us wrong, we strongly encourage companies to use a proper CRM system, not only for the obvious business reasons like efficiency and increased effectiveness, but also for the fact that you are able to store all your sensitive (customer) information in one place. And one place is better to secure then 12, right?
So, how to protect your data and your reputation? Ask yourself the next questions:
Where do we store our data? How critical is this data (for you and your customer)? Are the applications we are using safe? Are they Open Source or proprietary? Isn’t it time to move a step ahead by using a CRM system? Or, if you are using a CRM system, is this an Open Source application? How can we migrate to an Open Source application?
Be pro-active, investigate the possibilities. After all your reputation is at stake. Don’t forget we live in a world where bad news travels fast and with the help of social media reaches further then you could have ever imagined. We suggest you look at an Open Source CRM application that can help you protect your reputation and that will support you in taking your social responsibility.
Now, did I I or didn’t I lock that back door?