Recently, I was asked if I thought open source projects where inherently more or less secure than closed source, commercial projects. This post shares my thoughts on the topics. I’d love to continue the conversation in the comments section below so please share your thoughts.
Open source programmers are no better or worse than commercial coders, so in that sense, security isn’t better on one versus the other. In both cases, testing and security play an important role in producing a quality release. Differing levels of experience and access to resources (tools, people, and hardware) has a more dramatic effect on a programmer’s to assure quality than whether the product will be released as open source or not. For example, the open source developers at Sendmail have access to commercial code coverage and memory leak tools, various commercial hardware and operating system releases for testing, a paid security audit, as well as other engineers in the office.
In my opinion, the additional security in the open source world comes after the code is published in the form of:
1. Access to source
When malicious hackers go after closed source products, they employ either black box testing techniques or execution tracing/disassembly to find security flaws. This is much more haphazard and time consuming then, in the open source case, simply reading the code to find flaws in the implementation. Although at first glance this may seem like open source code is less secure, it is actually a win since issues are found and fixed quickly and there are more eyes looking at the source and reporting issues. In some ways, this comes down to the arguments for and against security through obscurity (closed source) vs security through transparency.
One argument to the contrary is the bad guys have the source too and they are more likely to look at it then the good guys are. The bad guys are going to attack on both fronts. Having the source may cause weaknesses to be found faster. Over time, this actually makes the open source project more secure as the issues have been located and dealt with whereas the closed source remains a mystery since there is no way to know if another bug is waiting to be discovered.
2. Exposure
Which ever side you come down on with regards to open or closed source being more secure, the benefit of code review in the open source world is undeniable. The sense of community and participation surrounding active open source projects leads to more code review, easier debugging, more testing, and a diverse environment for code coverage.
It has been my experience that open source testing is more accepted, more practiced, and better appreciated in open source projects than compared to testing done in the commercial arena. Perhaps that comes from the attitude of the end user when using freely available open source projects versus commercial products (i.e., when money enters the picture).
3. Responsiveness
Anecdotally, active open source projects respond quicker to security issues than closed source commercial projects. Commercial companies may have unique responsibilities to customers/vendors, scheduling issues, or other procedural issues that preclude an expedient turnaround. For example, Microsoft Patch Tuesday was created due to complaints by administrators who weren’t able to deal with ad-hoc patch releases. Open source projects may also be more agile as commercial software companies need to build and test binaries for a variety of past versions and platforms whereas open source projects simply need to release a source code patch.
Another benefit of having the source code available is even if the open source project maintainers are slow to release a security fix, the community can step in and offer a temporary solution until an official one is available.
As a hybrid company, Sendmail Inc. benefits from both worlds because we use open source sendmail in our commercial products which is probably why we recently received the highest Veracode security rating.
In general, people shouldn’t consider open source more secure simply because it is open source, nor should they consider closed source more secure because the source isn’t available to attackers. Both attitudes tend to give a false sense of security. Instead, good security practices, watching for signs of intrusion, and keeping software up to date will improve security more than choosing between open source and closed source products.
By making closed source tradition some big players in Software Industry tried to make their product secure, but truth is that their product is most vulnerable to security threats ! We have seen all sort of virus attacks on Windows machines. Compared to this, open source applications ( Linux), which I think are equally vulnerable, have been attacked less frequently. Reason to this I think is solution to attacks can be produced soon because of availability of code to open world. Open source I think has a little edge over closed source applications.