Tuesday, November 25, 2014

Is Open Source secure?

There was a time when "Open Source" meant nothing more than something geek. Times have change and the expression is more common in the world. Nevertheless, what is exactly Open Source?

It's more than a free software. It's more than having access the to source code of a project. It's a philosophy embraced by people who thinks that any software should be shared and worked on, in a common goal.

It all started with closed source softwares. Your enterprise would rely on a software solution and would be struggling with bugs and lack of features. Worst, the company providing the software solution would stop supporting it, making your enterprise forced to "upgrade" and migrate to another software, to a new provider. That "upgrade" process do cost a lot of money...

For individuals, it's the same issue. Your favourite app will not be supported anymore and you are stuck with bugs and lack of feature unless you move on to "The Next Big Thing".

An Open Source project do not have this issue. Bugs get fixed by the community. New features are added by the users, for the users. Some projects may have a short life as others will split into many different flavours. It's a natural evolution where demands drive the development.

Basically, an open source project will make its source code available over the web so anyone can browse it, download it, modify it. You can do whatever you want with the source code, as long as you comply with the original licence. That means keeping it open, most of the time.

Since the source code is available to all, it's it secure?

Of course, security flaws can be easily identified by pirates. But they can also be identified by others as well. The thing is that as soon as a vulnerability is identified, developers will patch it, share it and provide a new updated version faster than any commercial company can do it. Often, it's a matter of hours between the discovery of a vulnerability and the available secured version.

We've all heard of vulnerabilities in commercial softwares that were never fixed or dormant for decades. This is something that cannot happen in Open Source software as the code is being analyzed and reviewed by thousands of hackers, coders and users.

If anyone can contribute, does that mean that someone could inject malware code into the project? Mostly no as serious open source projects do have a team that is reviewing any contribution, ensuring quality and security for the project. Think about the Apple Store that is reviewing apps against potential malware. The same process is happening on Open Source projects.

Would you eat a meal without knowing its ingredients if you care about your diet? That's what "Open Source" means: you have a choice, you have a voice.

Patrick Balleux