Security for your open source

Will open source software make your business more secure?

Vittorio Bertola
open source
© Shutterstock / taa22

How secure is open source software? This question has serious implications for enterprises looking to make a decision between an open source project or a commercial product. In this article, Vittorio Bertola lays out the advantages and disadvantages of each for data security.

In the Internet technology and business world, a question has been hotly debated for at least twenty years: is open source software more or less secure than its closed, purely commercial counterparts?

Supporters of the open source development model will say that open source software is more secure, as it is jointly developed by a community of people that can check each other’s work. Furthermore, each of its users can check the source and discover both unintentional vulnerabilities and intentional backdoors – and even fix them independently.

Open source also shields its users from the risk of changing commercial conditions; no vendor can lock you into ever rising pricing schemes or just make unavailable an application that is vital for you. At most, an open source vendor can stop working on it, but you still have the code to keep it alive and even develop it further.

SEE ALSO: Open source: The next 20 years

Opponents of open source will reply that often the community behind this kind of projects boils down to a couple of overworked, underfunded, distracted developers sitting in a basement, amateur in their approach to software testing and release; and that, in case anything goes wrong, the users of the application will have no one to blame (or to sue).

Also, while you can actually scrutinize and enhance the code, this is not what you usually do when you choose a piece of software; checking line by line the code of a big application is a daunting task that only makes sense in very special cases, such as military uses; and if the open source project you rely upon dies by resource starvation, you may not want to continue investing in it anyway.

Another point of discussion relates to whether the full transparency on an application’s code makes it more or less secure. This issue, however, seems to be settled for good; almost everyone agrees that “security by obscurity” is not a great idea. Even the most secret and valuable pieces of information end up being exposed sooner or later, usually by mistake, through social engineering, or via other non-technical tricks. Thus, security should be intrinsic in the design, and not rely on any secret in the code, but only on credentials (passwords, keys, etc.) that are not part of the code and can be secured more easily and changed when necessary, and on well-known and tested algorithms.

SEE ALSO: Security vulnerabilities in open source and GDPR implications

Moreover, if there are vulnerabilities that can be immediately detected by looking at the code, opening the source code up makes them much more likely to be intercepted quickly. Other bugs and vulnerabilities are not discovered by looking at source code, but rather through routine tests and corner case experiments, and specific applications such as interactive disassemblers; in this case, the availability of the source code does not make any difference.

Finally, the security of any algorithm should not rely on its secrecy, but on sound logical and mathematical premises. Actually, formal security analysis – describing a software algorithm or protocol through symbols, and analyzing the security of such an abstract model – is an increasingly popular way to detect problems. To this purpose, withdrawing the logic of your software from public scrutiny is actually counterproductive; relying on public, widely confirmed best practices and research results is much better.

Is open source more secure?

So, what is the bottom line: is open source software more or less secure than commercial applications? The actual answer is that open source has some security advantages over closed source, but in the end, the availability of the code is not the primary factor that determines the security of an application.

What really makes a difference in the security of an application is how carefully this security is being designed, tested, and kept up to date by those who make it; how many resources are invested in it; how important it is considered by the development team.

You can find very secure or very insecure applications in both worlds, so you should look carefully for trusted software makers in both of them. Sure, there still is a significant difference: open source software makers show you their code and bet their face on it, while, for closed source applications, you have to rely only on the maker’s word. Corporate priorities and legal assessments may even push a closed source software maker to hide or ignore a known security risk in their code, something which is much harder to do with open source software (and even in that case, someone else could find it and fix it for you).

SEE ALSO: Balancing security and innovation in open source

On the other hand, within the open source software community, it is relatively common to stumble upon widely used projects, perhaps a library or a simple tool, that are being developed as a hobby, cutting corners on anything but writing new code and adding nicely looking features, and ditching boring stuff such as security reviews, proper testing and release management.

This is where your open source related security risks usually come from; if you look at how often the software is updated, how many people work on it, how many security issues are found and how quickly they are fixed – there even are tools that do this for you – you can immediately tell that some projects are not so secure. This is the moment when corporate users of software realize that, after all, they have a way to get the best of both worlds, by using software made by the best known open source foundations and by the most reputable commercial open source software companies.

These are the software makers that still give you all the freedoms and advantages of open source products, but are also able to guarantee a professional approach to security. Since the code is open, you should feel free to request and look for proof of this, rather than just rely on the company’s word. And, if you have a company on the other side, you will also be able to ask for contracts, support and documentation, minimizing your business risk and building a stable partnership over time.

SEE ALSO: AppSec at the speed of DevOps in the age of open source

The best open source companies are also those that support, reward and leverage a thriving community, with positive effects on the security of the product as well. For example, Dovecot, the mail delivery application that powers 75% of the world’s email servers, has received outstanding independent security assessments, mentioning “an exceptionally good outcome for Dovecot, and a true testament to the fact that keeping security promises is at the core of the Dovecot development and operations”. This is the joint result of talented developers, a broad and active community, and a trusted company behind the product, willing to invest in its security.

This is why, in the end, you can find secure software throughout all the different development models, but a well-supported, widely used, professional open source product is the best option of them all.


Vittorio Bertola

Vittorio Bertola is an engineer, policy expert, entrepreneur and activist from Italy, currently running the policy, research and innovation activities at Open-Xchange, the global leader in free software email and DNS platforms. He is one of the architects of the ID4me project, developing an open, public and federated single sign-on and identity management infrastructure for the Internet based on domain names. In the past he founded start-ups, campaigns, Usenet newsgroups and political parties, served on the Board of ICANN and on United Nations internet governance groups.

1 Comment
Inline Feedbacks
View all comments
Trapper John
Trapper John
3 years ago

A better question is how many naive fools are left out there who think proprietary is more secure?