OPEN-SOURCE CODE SECURITY: WHAT IT MEANS FOR TELTONIKA NETWORKS
#security, #rutos, #rut
One of the key features of our products is their software. At Teltonika Networks, we use our own, in-house software (RutOS) based on OpenWRT – which itself is an open-source code. If you’re not a computer engineer, a code being “open-source” means that it’s publicly available for inspection and scrutiny, as opposed to closed-source code being hidden and, therefore, unavailable.
The software code of Teltonika Networks would not be considered open-source, as it has deviated greatly from OpenWRT on which it’s based, and we do not publicly share our code in its entirety (we share certain parts due to the GNU General Public License). However, being based on an open-source project does raise the following question: does it mean our code is less secure?
In short – no.
LESS IS NOT MORE
In the world of security, cyber or otherwise, information is often king: the less information others have, the more secure you are. Applying this logic to the open vs. source code debate, the basic assumption is that closed-source is more secure because it isn’t directly accessible to cyber attackers. However, this assumption is incorrect – primarily because attackers don’t actually need the source code to find security vulnerabilities. This doesn’t mean the source code can be removed from the security conversation, only that it isn’t as critical an element you might assume. In addition, a skilled cyber attacker can reverse-engineer a closed-source code by a number of known tools and methods if needed, meaning that just keeping the code hidden is not a guarantee of security.
It’s also important to note that being open means being more aware of your vulnerabilities and taking the necessary steps to ensure your security. These vulnerabilities can be less obvious to closed-source software, and it can be easy for its engineers to assume being closed is, by itself, a security measure, and that additional security measures are more optional than a requirement. In other words, closed-source software can get too comfortable with its closed nature. It’s for this very reason that we conduct periodic third-party security assessments, such as the recent testing performed on RutOS by NTT Security Holdings.
MORE IS MORE
Open-source software has a significant security benefit closed-source does not: public security. To put it simply, since open source is widely available and used, more people in the industry have the incentive to continuously ensure its security. When everyone can see the treasure, more eyes are watching for anyone trying to steal it. Vincent Rijmen, a developer of the Advanced Encryption Standard encryption algorithm, explains that open source is better for more easily spotting and fixing security vulnerabilities, “Not only because more people can look at it, but, more importantly, because the model forces people to write more clear code, and to adhere to standards. This in turn facilitates security review.”
A good example of this is the Open Source Security Foundation, a cross-industry organization committed to advancing open-source security for all. Such initiatives make it so it isn’t only the source code that’s openly available, but also the tools, services, training, infrastructure, and resources needed for its security.
EFFORT BEYOND CODES
Security is only one of the reasons we chose to base our software on OpenWRT. Teltonika Networks’ Head of Security, Deividas Vyšniauskas, explains it best: “Stability, performance, and flexibility were also key deciding factors, as well as a positive reputation among network and security engineers alike. From that starting point, the deviation was necessary, as we wanted to create a versatile firmware with many capabilities that will meet all sorts of industry needs.”
In summary, the security of open-source software isn’t a function of whether its code is open-source or closed-source. Neither type of code, by itself, are a guarantee of anything. Rather, it’s the circumstance and open nature of open-source code that drives the increased collective efforts to keep it secure. More hands work with it, and so more hands care about it.
This very much resonates with us, as Teltonika Networks is founded upon the principle of connectivity for the progress of all – by all. Our software is based on open code, and we’re not merely confident in its security. We’re proud of it.