The general focus of security has always been on restricting access to prevent unauthorised intrusion into something. Whether it’s locking the physical doors of a house or sealing an organization’s digital network, security has always been about creating a closed environment. However, in recent years, the advent of open source software and hardware has challenged this closed-door approach to security, with organisations relying on publicly available code to deploy within their networks and build applications.
Open source is the use of open and freely available code by organisations, and it has grown in popularity in recent years, with recent data from the Synopsys Open Source Security and Risk Analysis Report revealing that 78 percent of code in codebases today is open source. When considering the advantages of open source, consider that not only is the code free to use, but it also provides organisations with greater transparency because they can see the source code they are using and assess its security for themselves.
They can also see code changes and collaborate with developers to improve it. Furthermore, because so many organisations use the same piece of code, bugs and weaknesses are frequently identified faster, and the user community will provide expert advice to remediate them. This means that there are more good eyes on the code, all of whom are motivated by the same goal of making it as secure as possible.
Tesla is one of the most prominent organisations that supports open source, with its CEO, Elon Musk, opting to open source its code in 2018. Musk recognised that the world’s future will be heavily reliant on electric vehicles, but that in order for the vehicles to succeed, people must invest in their security. In response, Musk made Tesla’s software open source, allowing others to build their cars on its foundations while remaining confident in its security.
Musk was following in the footsteps of many other organisations, such as Facebook, Microsoft, and Google, all of which had reaped benefits from open source projects. These tech leaders not only open their networks to security researchers via bug bounties and security assessments, but they also fund open source projects and have teams dedicated to open source initiatives.
For example, the Digital Security by Design (DSbD) programme will create a new, more secure hardware and software ecosystem to radically update the foundation of the insecure digital computing infrastructure. Morello, the first hardware implementation of DSbD technology, has already been delivered by the DSbD programme as a prototype system on chip (SoC) and development board. The Morello board is a real-world test platform for Arm’s Morello prototype architecture, which is based on the CHERI protection model developed by the University of Cambridge Computer Lab.
CHERI aims to provide deployable performance and compatibility with minimal changes to existing software and hardware: recompiling existing C/C++ with mild adaptation can protect pointers with capabilities. To improve security and encourage testing, this combines hardware implementation, a full software stack, and adaptation of widely used open source software.
For years, the aviation industry has recognised the open source mindset. When an aviation incident occurs, airlines do not hide behind them; rather, the entire aviation industry collaborates to investigate the incident and build safer planes. Because of this sense of community, air travel is now the safest mode of transportation.
