Open Source software is insecure, right?

OpenGlobal has always been a big advocate of open source software, mainly for the technical advantages that it brings, but the price (ie, usually free) is also a nice incentive. But I've recently heard of a web designer advising clients against open source because it is inherently insecure due to it's public nature.

This is something I hear occasionally and it is definitely something which should be addressed, because, at first, it seems obvious that open source software would be less secure than proprietary software.

So let's briefly explore the issues.

Open source software basically means that all of the source code is publically available. Anybody can download and read the source code and see exactly how the software is written, how the security elements are written and potentially, identify security weaknesses in the software. Proprietary software on the other hand, is closed source. You just get the software and you don't get to find out what's happening under the covers. This makes it much more difficult to identify security holes.

So far, it's not looking good for open source.

But let's look at some numbers.

Open source software generally has a similar number of core developers developing the software than proprietary software, so there are similar resources to throw at security in each one. But, open source also has a lot of other people looking at the software code identifying problems and reporting bugs and security holes back to the developers.

They've obviously also got the same malicious people looking for security holes to exploit instead of reporting them as proprietary software does, but proprietary software doesn't have the "general public" helping them too.

This only works though if there is a good community (and a competent one) around the open source project to find these security holes, report them and get them fixed.

OK, so there are pros and cons.

What does the security industry itself do?

Well that's easy. The security industry only uses open source security methods.

No serious, ONLY open source.

The entire security forces of every major military power uses open source encryption algorithms. The US, UK, Israel, France, Russia, China, everybody you don't want to mess with will, as a rule, only use tried and tested open source encryption algorithms and security methods.

But why?

Well, all of the proprietary methods that companies have come up with just haven't been tested enough. All of the good open source encryption algorithms have been tried and tested for decades and are being continually improved by the entire security industry, working together. No private company in the world has that level of resource to throw at their security products.

Proprietary software relies on the principle of security through obscurity. In other words, it's only secure as long as nobody knows about it. But open source security relies on the principle that it's still secure, even though everybody knows about. And it's secure because everybody knows about it.

When you use your credit cards online, the information is encrypted using open source encryption technology (a slightly weaker version of the same one used by military intelligence). The credit card companies themselves and the banks all use open source encryption technology.

The entire security industry is based entirely on open source.

OK, so if I haven't convinced you, you need to read this article by Bruce Schneier, he's basically the world's foremost expert on security: https://www.schneier.com/crypto-gram-9909.html#OpenSourceandSecurity

Now that is not to say that all open source software is inherently more secure. Microsoft, for example, has an abysmal security record, but there are lots of open source projects which are still horifically poor on the security front.

The key is to choose tried and tested open source software with a good security policy in place and a good track history of identifying AND QUICKLY FIXING security holes.

No software can be guaranteed to be completely secure. But knowing that things get fixed quickly is essential.

Sometimes the proprietary equivalent is more secure because it's being managed better. But, in general, a well managed popular open source project should be inherently more secure than an equivalent proprietary product.

The one thing that can pretty much be guaranteed is that proprietary software written by small provincial web design agencies will be using insecure, untested security models and should be avoided like the plague. It is a sign of a company that knows very little about software security (and very little about website promotion - but that's another article).

As a Cyber Essentials certified company, OpenGlobal takes security very seriously, which is why we don't subscribe to common hearsay when securing our servers. We use tried and tested technology and keep our software regularly updated to keep our websites as secure as possible. If you'd like to entrust your website security to a professional company contact us today on 0845 269 9624.