BlogLine

Elon Musk’s planned purchase of Twitter reignites questions of open source code security

4/29/22

By: Alexia Roney

On April 25, 2022, Elon Musk sealed the deal to buy Twitter, Inc., for $44 billion. Among the changes to the platform, Musk has floated making the algorithm that prioritizes tweets “open source,” so the public could view and improve it. This generated articles in major news media over the security of open source. So, what is open source and should a regular business selling widgets be concerned?

Open source is a method of developing software collaboratively by publicly publishing the source code. Anyone can inspect, modify, and enhance the software, which is often inexpensive or free for anyone to use. The Linux operating system is a quintessential example of open source. But should a business care? Yes.

The relatively inexpensive nature of open source software is attractive to business. However, even if a business has not specifically adopted an open source program, it may have installed a third-party software package that includes, in part, open source code. A recent White House briefing noted that open source code is “ubiquitous across every sector of our economy….” While proponents argue that open source software is more secure than proprietary software because so many eyes are on the code to catch vulnerabilities, this is not fool proof. In December 2021, a common open source utility (log4j for Java) was found to contain “the single biggest, most critical vulnerability in a decade.” As such, cybersecurity experts consider open source code a third party risk that is often overlooked in IT cybersecurity management.

So, what should a business do? Consideration of potential vulnerabilities specific to open source code must be part of your company’s data security risk management. This includes an assessment of whether and to what extent your business’s software portfolio is using open source code, monitoring the open source community for potential vulnerabilities, and keeping the open source code up to date. This last task is essential. In an April 2022, report issued by Synopsys Cybersecurity Resource Center, 88% of organizations are behind in keeping their open source updated. As a result, Synopsys detected a least one vulnerability in 81% of the codebases and 49% had at least one high-risk vulnerability.

The potential open source release of Twitter’s algorithm gives rise to security risks not usually confronted by business, such as hostile actors learning how to game Twitter’s system or to edit user’s prior communications. But at least for now, Twitter’s impending sale is serving the important purpose of raising awareness of open source as an issue for IT security risk management.

For more information about this topic, contact Alexia Roney at alexia.roney@fmglaw.com.