What are the security risks of open sourcing the Twitter algorithm?

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!

It has been just over a month since Elon Musk announced his intention to open source the Twitter algorithm to increase transparency of the platform’s use of artificial intelligence (AI) and machine learning (ML) to promote or demote posts. 

The decision has generated a lively debate on all sides, as well as in the security industry, where experts are divided on whether open sourcing the algorithm will be a net positive for security or not.

Musk’s idea to take Twitter open source could highlight vulnerabilities on the level of Log4Shell and Spring4Shell to the site, according to critics. Yet for supporters, the decision could even enhance the platform’s security. 

The bad: Attackers may have a chance to find entry points 

One of the largest security risks of making the code open-source is that it provides threat actors with a chance to analyze it for security vulnerabilities. 

“Open[ing] up Twitter’s recommendation algorithms is a two-edged sword. While having more eyes on the code can promote better security, it also leaves the door open for malicious researchers to gain insights they wouldn’t ordinarily have,” said Mike Parkin senior technical engineer at Vulcan Cyber. 

As a cyberrisk management specialist, Parkin suggests that opening the recommendation algorithm could enable “disinformation” to spread on the platform further as interested parties learn to manipulate it and sidestep moderator’s checks and balances — while giving users multiple versions of the platform to patch. 

The good: Increased transparency to mitigate vulnerabilities  

On the other side of the debate, other analysts and security experts recommend that increasing transparency over the platform is a positive, because it allows the platform’s user base a chance to play a role in vulnerability management. 

Instead of Twitter having a small team of researchers managing vulnerabilities, opening the code could potentially provide them with support from thousands of users, who can help improve the platform’s security and integrity. 

“When discovering vulnerabilities in software, access to source code is analogous to a factor having access to an MRA when diagnosing illness. An ‘inside-out’ view will always be more useful and complete than one formed by looking only from the outside in,” said Casey Ellis, founder and CTO at Bugcrowd. “We see this all the time in crowdsourced security testing, and the security advantage for Twitter will be more thorough feedback from the crowd around issues that need to be fixed.”

Ellis adds that while it does provide attackers an opportunity to identify vulnerabilities, whether the security implications are positive or negative will come down to Twitter’s ability to invest vulnerability information and fix flaws before they are exploited. 

How enterprises can help mitigate the risks 

While it remains unclear what the impact of open sourcing the algorithm will have, there are some simple steps organizations can take to help mitigate the risks. 

Principal security strategist at Synopsys Software Integrity Group, Tim Mackey, believes that an open-source governance program could help to address the risks effectively.

“Businesses can mitigate some of that risk by identifying which open-source components are powering the Twitter open-source technologies and then implementing an open-source governance program for them,” Mackey said. “Such a program would proactively monitor for new vulnerability disclosures for these components, and enable a business to react quickly to the change in risk. This is similar to the proactive model some businesses used to minimize their exposure to the Log4Shell vulnerability.” 

Mackey recommends that enterprises implement an open-source governance program for the open-source components powering Twitter’s technologies, to proactively monitor for new vulnerability disclosures so that security teams are prepared to address them. 

Originally appeared on: TheSpuzz