Security is a major concern for most individuals and businesses, especially online. Traditionally that has meant secrecy and locking things up, which is the opposite of Open Source principles. So why is it that prominent experts in supplying secure services often recommend Open Source software as a more secure option? And Governments around the world, including the U.S and UK, are recommending that Open Source solutions are actively considered in IT purchasing?
Peer Review – the key to Secure Open Source Systems?
One of the key security benefits of Open Source software is that the code is accessible to everyone that uses it. The scientific benefits of open discussion and exchange in the 17th and 18th centuries led to the Age of Enlightenment.
Meanwhile Cryptography, the study and practice of secure codes and communication, has long benefitted from making codes open and available. After all, you can’t tell if a code really is secure unless it is being widely tested.
Critics of Open Source security point to the fact that the majority of users downloading software are unlikely to examine millions of lines of code, which is why the scientific ideal of peer review is important.
Many Open Source projects will actively hire security experts to perform audits, especially in areas such as eCommerce where security is hugely important. But open platforms also mean that a wider pool of people with an interest in security can also contribute without being actively asked or hired.
Won’t Hackers just Examine Open Source code?
Just as very few users with good intentions are likely to pore over millions of lines of code, the same is true of those who may wish to subvert it. However, proprietary software also regularly falls victim to the efforts of hackers, due to software such as Disassemblers, which are widely available.
There is also the potential that an Open Source project may accept code and contributions from anyone. Developers may therefore innocently or maliciously add something which opens up a security flaw. That risk has been greatly reduced in most of the leading Open Source software projects by introducing more project management and security processes before contributions are added and made public.
Open Source Security Fixes:
It’s easy to find security vulnerabilities which have existed for long periods in both proprietary and Open Source software. However, the nature of transparency in the Open Source community means that not only are these problems made public much more quickly and easily, forcing solutions to be found, but often those discovering the issues are able to propose and develop fixes immediately.
When evaluating any software for security, it’s important to check the procedure for patches and updates, including how they are distributed. Look for projects which update quickly and often when required.
It’s also vital with both open and proprietary software that updates and patches are maintained by the end user or business. Many hackers, for example, will routinely scan for machines running older, unpatched software with known vulnerabilities. It’s much less effort to compromise an older installation, and requires much less knowledge on the part of the hacker.
Is Open Source more Secure than Closed Source?
In security terms, there are good and bad examples of both Open Source and proprietary software. The best examples of both approaches will be broadly comparable, although Open Source will often have a marginal edge. The biggest and best Open Source projects will have paid internal developers and teams alongside the unpaid volunteer contributors, giving them the best of both approaches if it’s combined with a sensible update and patching process.
It’s also important to note that both Open and Closed software will often include external software within it, which may or may not be secure.
Ultimately the decision to use Open Source software is accompanied by numerous other reasons, such as cost, flexibility and the ease of customisation. All software also requires the end user to be proactive in maintaining and updating their software to ensure older vulnerabilities do not exist – running an outdated proprietary system is far riskier than the latest open source equivalent, for example.
Finally Open Source will continue to improve on the security front as it is increasingly used by Governments, organisations and businesses which need highly secure systems. In addition to higher security, it’s also leading to more standardised and transparent reporting, which is a major benefit for the Open Source community.
Dan is an experienced writer, blogger and digital marketer. He’s worked with the UK’s largest magazine publisher, national radio stations, and consults everyone from small start-ups to global businesses, as well as running his own small network of videogames sites.