News: Is Open Source Really Insecure?

Is Open Source Really Insecure?

Is Open Source Really Insecure?

To go Open Source or go proprietary? There is a common conception that open-source is unsafe and insecure and therefore companies should rather go for proprietary solutions. They think that because software is termed "open-source", that the world can see the vulnerabilities of the software and might exploit it, and less informed people tend to think that open-source software can be modified while it is running.

Let's first discuss my last comment: Open source software can be modified while running... Let's look at the normal procedures of producing software. You write the code, compile it, assemble it (depending on your compiler, some compilers might do the assembling stage together with the compilation), and run it. By the time you run it, it is in machine readable format, and loaded into memory. If you change the code, you'll have to go through the building process again and load the new version into memory for the changes to take affect. So one way to change a running program is to manipulate the (machine) code in memory. Surely this can be done if you're smart enough, but this can be done with any software, even the big proprietary names out there. Maybe because software is open source, it gives a hacker easier access to analyse the code and develop and test methods to do harm, but I still think it's just as easy to do harm to proprietary software. People smart enough to do this will surely be able to interpret the machine code produced by proprietary systems as well.

Now, let's look at vulnerabilities exposed by source code that's open to the public. Just as there are people looking for weak points in the source code to do harm, there are also a lot of people fixing these weak points when they spot them. Typically the number of people contributing to a popular open source product outnumber the amount of people working in a team on a proprietary system, which also means there is a lot more minds able to spot weak points. There is also a lot more "testers" from the beginning of the project, as the project is open source, and not like closed source projects where it's limited to a small number of testers before the software is released to incrementally larger groups during alpha and beta testing. The discussion groups are also larger for open-source projects where bugs and weak points are discussed

At one stage not too long ago I've overheard a conversation where a solutions architect, trying to sell a popular proprietary solution to the CIO of a fairly big company, tried to convince the customer when he asked about open-source by saying that "open-source doesn't belong to everybody, it belongs to nobody". Yes I might agree in the case of smaller "hobby" type projects, but I can think of some big names that goes a fairly long way in helping to develop and improve open source systems, and who even gives commercial support for such systems. You'll get many companies giving commercial support for only one open source product and all of them helping to improve that product.

Let me give an example. There are many companies giving commercial support for Firefox, a very popular open source web browser. They might develop bug fixes and release it back to the community, or choose to keep it to themselves. The product is open source, so anyone with the knowledge can develop bug fixes and improvements. You choose who will give you commercial support, and you pay them to do the fixes when you encounter some. if you are not happy with them, you can go to someone else. There are really big companies giving support like this. How many companies can give you support and bug fixes with the popular proprietary web browsers out there? Just the company who developed it. We are moving to a service delivery model of doing business, so more and more companies are eager to give you commercial support on open source solutions, as well as delivering enhancements to the many great open source products out there. I'm just trying to prove that open source does indeed belong to "somebody", and that is everybody, without any sacrifices on security.

Please comment on this article and let me know what you think regarding the topic, and if you disagree, then why you disagree, or if you agree, then provide us with some more supporting points.

3 Comments

I think open source is great, but I think that the community needs to do a better job of reaching people who aren't techies. I think having non-techies provide feedback would help open source projects really *be* for everyone.

Unfortunately, many open source developers have a developer-only mentality and think that, "if it was hard to write it should be hard to run/understand." They don't want feedback, even from other developers, since their pet project should do what /they/ want it to do and /only/ what they want it to do. This attitude is changing but very slowly. I wouldn't hold my breath waiting for it..

Renato, I find your post interesting. I would suggest that some of the very objections proprietary promoters have about open source programming are, in fact, it´s strengths. Microsoft is almost infamous for taking months, and sometimes years, to publish fixes for security vulnerabilities which Microsoft itself classified as serious or critical. When similar vulnerabilities were found in a comparable product, the fix was published within a matter of hours. Because there are so many more people involved in most open source projects, that means there that many more sets of eyes, and minds, scrutinizing the code, and testing it on a multitude of hardware platforms and software environments. Because open source projects normally don´t have financial pressure to finish as soon as possible, they can also take longer to validate the code. Most open source projects also have a much larger base of ¨help-desk¨ people contributing assistance to new and experienced users, the help is generally of a much higher quality as well as being free, unless one chooses to pay for support.

Cybe R Wizard, I have had entirely the opposite experience with open source developers. I find that they welcome feedback on their projects. As a future open source developer, I know that I will want help in every phase of my projects. I will also want all the user feedback I can get, once I publish a project. I won´t make a dime from my projects. My only reward will be knowing that other people find my project useful. I will also want to refine those projects; the best way to do that is to pay close attention to my users feedback.

Share Your Thoughts