In the Internet technology and business world, a question has been hotly debated for at least twenty years: is open source software more or less secure thanits closed, purely commercial counterparts?
Supporters of the open source development model will say that open source software is more secure, asitis jointly developed by a community of people that can check each other’s work. Furthermore, each ofits users can check the source and discover both unintentional vulnerabilities and intentional backdoors and even fix them independently.
Open source also shieldsits users from the risk of changing commercial conditions; no vendor can lock you into ever rising pricing schemes or just make unavailable an application that is vital for you. At most, an open source vendor can stop working onit, but you still have the code to keepitalive and even developitfurther.
SEE ALSO: Open source: The next 20 years
Opponents of open source will reply that often the community behind this kind ofprojects boils down to a couple of overworked, underfunded, distracted developers sitting in a basement, amateur in their approach to software testing and release; and that, in case anything goes wrong, the users of the application will have no one to blame (or to sue).
Also, while you can actually scrutinize and enhance the code, this is not what you usually do when you choose a piece of software; checking line by line the code of a big application is a daunting task that only makes sense in very special cases, such as military uses; and if the open sourceproject you rely upon dies by resource starvation, you may not want to continue investing initanyway.
Another point of discussion relates to whether the full transparency on an application’s code makesitmore or less secure. This issue, however, seems to be settled for good; almost everyone agrees that “security by obscurity” is not a great idea. Even the most secret and valuable pieces of information end up being exposed sooner or later, usually by mistake, through social engineering, or via other non-technical tricks. Thus, security should be intrinsic in the design, and not rely on any secret in the code, but only on credentials (passwords, keys, etc.) that are not part of the code and can be secured more easily and changed when necessary, and on well-known and tested algorithms.
SEE ALSO: Security vulnerabilities in open source and GDPR implications
Moreover, if there are vulnerabilities that can be immediately detected by looking at the code, opening the source code up makes them much more likely to be intercepted quickly. Other bugs and vulnerabilities are not discovered by looking at source code, but rather through routine tests and corner case experiments, and specific applications such as interactive disassemblers; in this case, the availability of the source code does not make any difference.
Finally, the security of any algorithm should not rely onits secrecy, but on sound logical and mathematical premises. Actually, formal security analysis describing a software algorithm orprotocol through symbols, and analyzing the security of such an abstract model is an increasingly popular way to detectproblems. To this purpose, withdrawing the logic of your software from public scrutiny is actually counterproductive; relying on public, widely confirmed best practices and research results is much better.
Is open source more secure?So, what is the bottom line: is open source software more or less secure than commercial applications? The actual answer is that open source has some security advantages over closed source, but in the end, the availability of the code is not the primary factor that determines the security of an application.
What really makes a difference in the security of an application is how carefully this security is being designed, tested, and kept up to date by those who makeit; how many resources are invested init; how importantitis considered by the development team.
You can find very secure or very insecure applications in both worlds, so you should look carefully for trusted software makers in both of them. Sure, there still is a significant difference: open source software makers show you their code and bet their face onit, while, for closed source applications, you have to rely only on the maker’s word. Corporate priorities and legal assessments may even push a closed source software maker to hide or ignore a known security risk in their code, something which is much harder to do with open source software (and even in that case, someone else could finditand fixitfor you).
SEE ALSO: Balancing security and innovation in open source
On the other hand, within the open source software community,itis relatively common to stumble upon widely usedprojects, perhaps a library or a simple tool, that are being developed as a hobby, cutting corners on anything but writing new code and adding nicely looking features, and ditching boring stuff such as security reviews,proper testing and release management.
This is where your open source related security risks usually come from; if you look at how often the software is updated, how many people work onit, how many security issues are found and how quickly they are fixed there even are tools that do this for you you can immediately tell that someprojects are not so secure. This is the moment when corporate users of software realize that, after all, they have a way to get the best of both worlds, by using software made by the best known open source foundations and by the most reputable commercial open source software companies.
These are the software makers that still give you all the freedoms and advantages of open sourceproducts, but are also able to guarantee aprofessional approach to security. Since the code is open, you should feel free to request and look forproof of this, rather than just rely on the company’s word. And, if you have a company on the other side, you will also be able to ask for contracts, support and documentation, minimizing your business risk and building a stable partnership over time.
SEE ALSO: AppSec at the speed of DevOps in the age of open source
The best open source companies are also those that support, reward and leverage a thriving community, with positive effects on the security of theproduct as well. For example, Dovecot , the mail delivery application that powers 75% of the world’s email servers, has received outstanding independent security assessments, mentioning “an exceptionally good outcome for Dovecot, and a true testament to the fact that keeping securitypromises is at the core of the Dovecot development and operations”. This is the joint result of talented developers, a broad and active community, and a trusted company behind theproduct, willing to invest inits security.
This is why, in the end, you can find secure software throughout all the different development models, but a well-supported, widely used,professional open sourceproduct is the best option of them all.