Using open source for identity projects: 8 considerations

Consider these eight points to decide whether you can securely use open-source code in your identity management projects.

open source box open box out of the box empty
Getty Images

The use of open source in the enterprise is blooming as organizations seek to reduce time to implementation and hopefully reduce costs. A 2019 RedHat report on “The State of Enterprise Open Source” said that 95% of respondents found open source “strategically important.” 

When looking at the applications of open source in an enterprise setting, however, identity management does not always seem like a natural home. This may be because identity-related services are arguably one of the most complicated systems to design and build. Can open source be used wisely in an identity context and maintain security as well as usability?

8 considerations when choosing open source for identity projects

Thoughts about using open source often turn to fear, uncertainty and doubt (FUD). This is not without reason. The Equifax breach of 2018 is a good example of why FUD persists in open source use. The incident involved cybercriminals using brute-force attacks against the open-source Magento platform.

There are very good reasons to use open source. The choice means that someone else has done the groundwork so your developers don’t have to. In theory, multiple people (the open-source community) have looked at and verified the code. While this may mean the code has passed unit testing, it isn't the same as functional testing. Therein lies the rub. Identity-led services are often multi-functional systems. The functional testing of these systems, the myriad user journeys and alt pathways can take the code down twists and turns that will open up exploits.

To continue reading this article register now

22 cybersecurity myths organizations need to stop believing in 2022