Solution Brief

THE TRUE COST OF OPEN SOURCE SECURITY SOFTWARE FOR THE INTERNET OF THINGS

THE RISKS AND HIDDEN COSTS OF “FREE” OPEN SOURCE SECURITY

IS OPEN SOURCE SECURITY vulnerabilities, provide a patch and update the affected systems. SUITABLE FOR MISSION-CRITICAL IOT? Vulnerabilities According to analysts, there will be more Open source cybersecurity software than 20 billion connected devices by such as OpenSSL, WolfSSL, MbedTLS 2020. Already, there are more than eight and LibreSSL have had more than 200 billion Internet of Things (IoT) devices, published vulnerabilities. Of those including connected vehicles, industrial vulnerabilities, OpenSSL is responsible manufacturing and agricultural devices, for 184, most of which still have not been medical and fitness devices, electricity patched. In 2016 alone, OpenSSL and gas smart meters, and home and experienced 34 vulnerabilities, at a rate building automation systems. of nearly three vulnerabilities per month. Each of these vulnerabilities How do we ensure that these connected require attention and represent systems are safe and reliable? With significant risk and drain on resources to safety, reliability and lives at stake, we the companies that use open source must make sure these systems are i software for security across their protected. According to a recent study product lines. by Black Duck, more than 55% of companies leverage open source software (OSS) for production Slow Remediation infrastructure, an increase of 65% from According to a security reportiii, most the prior year. companies take an average of 100-120 days to patch vulnerabilities. According to OpenSSL Foundation, it takes on WHY OPEN SOURCE SECURITY? average 40 days to release a security Why are companies selecting OSS for patch from the day they find out about production applications? According to the vulnerability. the study, businesses are using OSS to improve the quality of their solutions; leverage competitive features and technical capabilities; and customize and maintain their applications by having access to source code.

While using open source for operating systems, databases and software development tools has been broadly adopted, numerous vulnerabilities in these platforms are found every year. In 2016, the Mitre Group, reportedii 6,447 vulnerabilities in hardware and software platforms. In 2017, an astounding 13,653 vulnerabilities in computer systems have been found.

One of the challenges with using open RISKS OF OPEN SOURCE SECURITY source security software is that when a Open source security software for IoT vulnerability needs to be fixed, you rely can be risky due to the number of on the community to find the problem vulnerabilities found as well as the and patch it. This can take a just a few unpredictable timeframes to identify days, or it just never be patched

This slow and unreliable remediation DOES OPEN SOURCE SECURITY situation simply increases the likelihood that a hacker will exploit the SOFTWARE ENABLE DEVELOPERS vulnerability. According to the same TO INNOVATE FASTER? report, the probability of a vulnerability The availability to download OSS for being exploited is 90% between 40-60 free allows developers to rapidly begin days of discovery. developing their application. In some cases, open source software is well- Compliance documented and fit for purpose. In Depending upon the specific industry, other cases, OSS can appear to be companies must comply with a number inefficient and poorly documented. The of cybersecurity standards. Several quality of the software and standards exist including IEC 62443-3-3, documentation impact both the time it NERC CIP 003-3 and the Industrial takes to develop an application and the Internet Consortium IISF. Additionally, in performance of the application due to order to do business with the inefficiency. government, companies must comply with NIST FIPS 140-2. Lack of Detailed Developer Documentation The challenge with many community- Detailed API documentation, user supported open source projects is that, guides, clear coding guidelines and because development is often funded sample applications are essential to by gracious sponsors and performed by develop applications that are efficient volunteers, maintaining compliance and compliant with standards. with standards can be difficult. For example, after the Heartbleed bug was Lack of Integration with Broad Range of found in OpenSSL in 2014, the OpenSSL Foundation embarked upon a Chipsets and Operating Systems significant restructuring the software. As Open sources security software is such, the OpenSSL Foundation needed oftentimes no more than an SSL library to upgrade its FIPS 140-2 validation. that is used to establish a secure Safelogic agreed to fund the connection between a device and a development in 2015. In 2017, Safelogic HTTPS server. Today’s complex ceased its fundingiv of the project, and embedded security technologies such the lead engineer in charge of FIPS as TPM, HSM, Arm TrustZone, Intel SGX validation left OpenSSL. as well as cryptoaccelerators must integrate with the applications. So, companies using OpenSSL that want Supporting a broad range of chipsets to take advantage of the new OpenSSL and operating systems is important. 1.1 software will have to wait until a new OpenSSL volunteer willing to lead the Using open source security software charge and funding is found. This rather than a more complete full-stack significantly impacts a company’s ability solution puts the burden on the to sell to the government. developer to address the larger issues of device and data trustworthiness. In France, the government, citing Device and data integrity, secure concerns over GDPR liability, communications beyond SSL, and recommended that a major advanced authentication must be manufacturer remove OpenSSL and address with other solutions or in house.

WHAT IS THE COST TO SUPPORT OPEN SOURCE SECURITY SOFTWARE? While open source software may be free to download, significant costs exist to use, manage and maintain the software during the various stages of software development: development, testing, QA, compliance certification, production and maintenance.

While these numbers are purely budgetary, this is based upon research that Mocana has done with its customers and partners that use open source security software.

OpenSSL Support Cost Comparison OpenSSL Mocana Pre-purchase Cost Pre-purchase Cost Training Cost $20,000 Training Cost $20,000

Software Development Cost Software Development Cost Total Cost/Year $1,271,000 Total Cost/Year $462,500

Lifecycle Management Cost Lifecycle Management Cost Total Cost/Year $786,000 Total Cost/Year $280,500

Total Cost/Year $2,057,000 Total Cost/Year $743,000 Cost Savings $1,314,000

Training Lifecycle Management Training your development team is Lifecycle management includes the essential to ensure that product ongoing costs to evaluate, test and engineers and software developers get patch up to three OpenSSL CVE up to speed as quickly as possible. This vulnerabilities per month. training expense is an estimate for two weeks of training for up to eight people. Note, Mocana has zero attributed vulnerabilities in the Mitre Group CVE Software Development database from 2002 to 2017. We have Software development costs vary reduced the lifecycle management widely. These open source software costs accordingly. development costs include headcount for nine months for a program Summary manager, security architect, three The market is moving to a connected developers, two QA engineers, and FIPS world of billions of IoT devices. Securing validation. the IoT is challenging. While companies have looked to open source security The software development cost savings software, significant risks and hidden come from fewer headcount and lower costs exist. Mocana provides a expenses for FIPS validation. comprehensive IoT security software solution that is used by more than 200 manufacturers and IoT companies to protect more than 100 million devices. Mocana Corporation Copyright 2017 www.mocana.com

References: i 2016 Future of Open Source Survey Results, Black Duck ii Mitre’s Common Vulnerabilities and Exposures via CVE Details, http://www.cvedetails.com/browse-by-date.php iii Kenna Security’s Gap Report, https://www.infosecurity- magazine.com/news/companies-average-120-days-patch/ iv FIPS 140-2: Thanks and Farewell to Safelogic, https://www.openssl.org/blog/blog/2017/08/17/fips/