Industries are attracted to adopting open source for a variety of reasons including, but not limited to, cost optimization, faster innovation and improved code quality. But, often, users forget to consider the security aspects of using open source components which could lead the organization into trouble at later stage.
Given an option to choose an open source component, often we find several versions (each with a different set of features) for the same component. When the code is open to the community, developers add features to it for various reasons, such as customization to meet their business requirement, dignity in contributing to the community, faster innovation, and better-quality code. Hence, it is important to map the business requirements to the product offerings, keeping various other options open for experimentation and evaluation of the fitness of the options. This helps in adopting the best option at the lowest cost, whereas in closed source software, once the license is bought, one may have to compromise with the functionalities or potentially incur add-on costs due to additional features requirements or customization. This applies to security features as well. However, the lack of understanding of the open source security principles have led to a lot of myths. Here, I tackle some of them and provide a comparative view of open and closed source software.
Myths vs reality
- Because the OSS (open source software) codebase is open, it is more vulnerable to security threats than proprietary software.
- All code, open source or proprietary, is vulnerable to security threats if, while the code is being developed, security coding guidelines, data validation, sensitive data–handling procedures and appropriate encryption standards are not in place. Therefore, a disciplined governance process is very important. Also, because the code is openly available in OSS, anyone who encounters any vulnerability can fix it or report it to the community to fix. Many eyes on the code means that bugs and vulnerabilities are spotted and fixed quickly. Alternatively, one can switch over to a non-vulnerable/less-vulnerable OSS option.
- Proprietary software is more secure than open source software.
- License agreements guarantee support but not security. In fact, when resolving a bug, vendors provide a patch or new release as often as they want even though customers would like action more quickly. In the case of OSS, anyone can fix a bug once it’s reported and the patch can be released with due diligence and at a faster pace.
- OSS is more vulnerable because hackers are aware of known bugs.
- In reality, when a bug or vulnerability is reported, the concerned team generates a CVE (Common Vulnerabilities and Exposures) entry marked as RESERVED that is not published in the public domain for hackers to take advantage of. The CVE is published only when the vulnerability has been fixed and a new version of the software is released, which reduces the chance of a security vulnerability.
- OSS is less secure because external users do not follow any particular standards or development policy.
- During development, basic coding standards are essential for any successful software, although there is no universal standard for security that a developer must follow. However, while adopting any OSS, one can insert any required security standards because the source code is open. Additionally, one can scan the OSS codebase to check the standards before adoption.
OSS is as secure as proprietary software when enterprises have a strategy ensuring the software adheres to the security principles of the organisation.