When the Federal Financial Institutions Examination Council released it’s Cybersecurity Assessment Tool in 2016, I couldn’t quite understand the intent behind open source software being called out as one of the inherent risks.
Recently, I was thinking about factors that likely impact the macro landscape of cyber insurance risk. By that I mean how cyber insurers would go about measuring the likelihood of a catastrophic scenario that harmed most or all of their insured clients at the same time. Such a thing is not unreasonable to imagine, given the homogeneous nature of IT environments. The pervasive use of open source software, both as a component in commercial and other open source products and used directly by organizations, expand the potential impact of a vulnerability in an open source component, as we saw with Heartbleed, ShellShock and others. It’s conceivable that all layers of protection in a “defense in depth” strategy contain the same critical vulnerability because they all contain the same vulnerable open source component.
In a purely proprietary software ecosystem, it’s much less likely that software and products from different vendors will all contain the same components, as each vendor writes its own implementation. This creates more diversity in the ecosystem, making a single exploit that impacts many I don’t mean to imply that proprietary is better, but it’s hard to work around this particular aspect of risk given the state of the IT ecosystem.
I don’t know if this is why the FFIEC called open source as an inherent risk. I am hopeful their reasoning is similar to this, rather than some assumption that open source software has more vulnerabilities than proprietary software.