March 3, 2017

Security of open-source

Just a quick one today, being thoughts about how secure open-source software is. There's an argument that goes along the lines of it being less secure because hackers can read the source code and spot the vulnerabilities that way. That's not necessarily true. Here's why:

  • Open-source code is huge, just like closed-source code. It takes a huge amount of time and effort even from an expert to fully understand what's going on by reading the code alone.
  • Most hacking attempts start by running some kind of scanning or vulnerability probing software against the target program, which doesn't care if it is open- or closed-source. If a vulnerability shows up then it can be exploited regardless.
  • Open-source is widely peer-reviewed and vetted by the community. The more established the project, the more that this is the case. The community is more effective than any internal security checking team at a closed-source vendor, because it is bigger, more experienced, and has more time to do the job. It could be argued that as a result, established open-source is more secure than closed-source.
  • If you do find a vulnerability in open-source, it can usually be patched much faster. It can take much longer for a closed-source vendor to recognise and patch a security issue than an open-source community to do the same.
  • As you've got the source code, you can always get your own developers to fix it for you, right here, right now - that is never possible with closed-source. Same goes for new features or improvements, or anything else you might want to change!

Just some thoughts, anyhow. Both open- and closed-source have their pros and cons, but it is hard to argue that closed is better than open. Organisations should take open-source seriously in the knowledge that it can be equally secure, if not more secure, than many closed-source alternatives.

Thanks to the BCS (British Computer Society) quarterly magazine ITNOW for inspiration for the above!

Topics: Bioinformatics, Open source, security