25th January 2016
Open vs Closed Source – Debunking the “Security” Myth
The argument of open versus closed source has been discussed at length but not died out. Personally, I thought the argument had been resolved in favour of open source many years ago, however a few articles and statements I’ve read recently suggest that opinions are still divided.
First, a quick note describing what open source software is: It is the computer code which makes up a piece of software where the source code is made freely available and can be redistributed and modified. Closed source is the opposite – the code is not available, cannot be changed or modified.
The gist of the less secure argument is that because code is freely available, any vulnerabilities which exist are more likely to be found. Closed source means it can’t be viewed, so these vulnerabilities are less likely to be discovered.
If this is the case then why does open source exist at all, and why does anyone use it?
Why Open Source Software?
There are many reasons why someone would use open source software, knowingly or unknowingly.
Open source software is more prevalent than most realise. Chances are you’ve already benefitted from open source software without realising. It powers more than half of the internet – Apache and Nginx web servers (which are both open source) account for around 54% of all web servers. Interestingly, when you focus the search onto the million most popular websites that number increases to 69%. The most popular websites on the web are even more likely to be ran on open source software. So if you’ve ever used Amazon, Facebook or Wikipedia, you’ll have unknowingly encountered open source software.
In some cases, lower cost and better quality are other reasons to pick open source software. Having a community of people behind open source allows for a wider range of skills and unique perspectives to influence and shape projects. This encourages a process of innovation in the development of open source software. It also makes software more accessible to people who may otherwise find the cost of quality software prohibitive.
I would argue (as would many other open source advocates) that a well ran, responsible open source project is more likely to be secure for the very reasons those argue against it. It is a good thing to be open to scrutiny, so anyone can view the code, bugs and vulnerabilities may well be found, but they get fixed and the piece of software becomes more credible as a result. There is strength in transparency.
Security may actually be a reason to choose open source software over closed source software. With closed source software, users have to be willing to accept the level of security that software licensers provide, without any capacity to improve vulnerabilities. This raises the questions if vulnerabilities are found in closed source software, then how do they get fixed? How long will it take to fix them? Will it get fixed at all? All are questions one should consider when making software choices.
According to Kerckhoffs’ principle, as reformulated by mathematician Claude Shannon, which states “one ought to design systems under the assumption that the enemy will immediately gain full familiarity with them.” If that is the case, then both open and closed source software would benefit in how this principle is applied to security in software. Closed source software should not be depending on the fact that their source code is “secret” any more than open source software should be faulted for being visible. If someone is truly determined to expose vulnerabilities in software they will, regardless of visibility.
As the developer community continues to grow, I would expect to see open source software grow in popularity and become even more widely used than it currently is. While it’s not always possible to use open source software, it shouldn’t be overlooked based on unfounded security myths. As always, do your research before making a decision.