Feeling secure enough to use open source for IAM projects

Identity is big, really big, especially when it is customer facing. There are a lot of moving parts to build, pieces to hook up, and external functionality to integrate. The whole makes the identity ecosystem which was once a dream of a few but is fast becoming a reality for many.

Part of this movement towards a more all-encompassing and task-driven identity data system is the use of an API-approach to identity. These core functional API components are then augmented using open source code to add the bells and whistles. This extends the functionality of the service, quickly, cost-effectively, and easily.

The thing is, as usual, with the swings come roundabouts. Identity data is a powerful engine that will drive our online transactions to new heights of usability and assurance. However, it comes with a serious price tag. Identity theft is at an all-time high. According to figures from Javelin, 2017 was a record year for stolen identity. In the U.S 16.7 million people had their identity stolen and fraudsters are becoming ever more sophisticated. One of the reasons for this is the increasing use of online identity, used for high value transactions, that has software vulnerability issues.

If we add open source code into a complex ecosystem required by a modern IAM service – what do we need to consider?

The wonders of open source and IAM

Building a system that uses identity to drive online tasks has many parts to the whole. To save time, money, and effort, it is often useful to turn to the open source community for some of the pieces of the IAM jigsaw. Open source offers a deep well of functionality; it can make you feel like a kid in a sweet shop when you first dive in and take a look. It saves your company from re-building the wheel, adding in the functionality that you need that may be specific to your IAM design. Some typical areas where you might use open source in an IAM project include:

• Email handling
• PHP router
• RESTful frameworks
• Forms to capture personal data
• Plugins and CMS for account management and administration dashboards
• Data analytic dashboards
• DevSecOps monitoring and alert systems

The worries of open source and IAM

In a 2018 DevSecOps study by Sonatype, they identified Open Source governance tools as being one of the most critical tools needed for application security management. In terms of the use of open source in your IAM projects there are a number of considerations, the main ones are:

1. Maintenance: Gartner, who advocate the use of open source for IAM projects, strongly suggest having a maintenance and support plan in place for any open source code used.
2. Security: Commercial software has vulnerabilities and its open source cousin no less so. Software vulnerabilities in one part of the identity ecosystem could cause catastrophic security issues in core areas, leaking data. Tools that provide OS vulnerability management are, as identified in the Sonatype study, an important aspect of adding open source functional extensions to the wider identity ecosystem.
3. Spaghetti code: Many cooks spoil the broth and many coders, over many iterations, can create spaghetti code. Spaghetti code is messy and using it causes developers serious headaches as they try to fix bugs, etc. In a system that can deal with multiple millions of users’ sensitive personal data, you need to ensure you have control over your code. Code reviews for both internal and open source code are crucial.
4. Longevity: Open source is a very powerful option. But if a code base is abandoned, you may end up having to take on the upkeep of the code or create new code from scratch.

Using open source safely

As IAM systems grow and reach out to a wider audience, performing more critical online transactions, they will require increased functionality. Using open source software is a great way to plug functional gaps in a cost-effective and quick to market manner; it gives a solution architect and their team a much needed “bag o’ tools’ to play with. This toolset is even more crucial in a complex customer IAM system – customer IAM system need to have multiple additional parts to manage everything from omnichannel communications to myriad verification calls by third parties.

However, software vulnerabilities and spaghetti code can quickly become a nightmare unless contained and managed. Instead of your functionally rich identity service, you could end up with a cybercriminal’s dream. An IAM system with many moving parts means many potentially opens doorways and weakest links. To build secure code that grows with your vision you need to engage in code maintenance. Using knowledgeable organizations and services to check both your in-house and open source code during the lifecycle of your development is critical to creating secure identity services.