Who says open source software is less secure?
Himanshuz.chd 270004408M Visits (8103)
Whenever a piece of source code for any software from Microsoft gets leaked, there is a flood of warnings from security consultants that this can have huge negative impacts on the security of that particular software. These types of warnings mostly lead (or rather mislead) to doubts that if a small piece of code can cause security compromises then what about the open source software for which the whole source code is available to any and everyone. A big question arises that how do pro open source people advocate that its even more secure than proprietary software. Here in this article, I will focus on some of the important aspects regarding the security of open source software.
Please note that all the views expressed here are entirely of my own.
Source code availability
I usually get absorbed in this debate during tea breaks in my office. Most of the people argue that if the whole source code is available then a cracker knows the loopholes and the security of that software can easily be compromised. I agree to their point but quickly I point out that not everybody out there is a cracker or a person with negative intentions. There are certainly more people that support the cause of open source and contribute to it in a positive way. There are more eyes that are protecting open source by identifying the loopholes and quickly correcting them. So we see that the most powerful security asset of an open source software is the fact that it is open source.
On the contrary, the belief that a closed source software is secure is not true. The live and biggest example of this is the Microsoft family of operating systems. Everybody knows that these guys do not release the source code but still we have huge number of bugs and security compromises for Microsoft family of OS. Some people may argue that since it is very popular so it becomes the prime target of crackers. Though there is nothing wrong in their statement but these people try to deviate from the real issue. The real issue is not the number of compromises but the real issue is that despite of being closed source, there ARE security vulnerabilities in closed source software too and these vulnerabilities ARE being exploited in real world.
Updates and patches
This is another very important aspect that businesses are concerned while dealing with open source software. There is always a concern as to the quality of maintenance of an open source software from a vendor. I believe this concern is valid but up to a certain extent only. Why I agree to it is because there are still certain open source software that are managed by small team or even a single person. So these software are still not preferred by corporates and businesses. Now, why I said that I agree to it up to a certain extent only is because there is a long list of open source software that are being used in real world by big businesses for real time work. Look at Linux, Apache etc these are giving severe competition to their custom counterparts on every aspect. The updates are provided at regular intervals and patches to critical bugs are provided even in a few hours. For those who doubt the patch/update speed and capability of open source, I would like to give the example of the Ping of Death. This bug resulted in a crash on almost every operating system but the amazing part is that the patch to this bug was released only in couple of hours on Linux. This can be attributed to the number of contributors to Linux. So we see that though there are certain open source software that are still not mature to be used in real world but we cannot paint every software with the same brush.
If we audit the custom or the closed source software on the same line, then we see that though there is a dedicated team for a custom software but updates and patches are not as fast. Mostly the updates and patches are not released within hours or days (as with many of the popular open source software).
There are some popular theories and rumours that state run agencies use open source software to inject loopholes but I argue that why cant they use their influence on custom software vendors for the same. There can be one or two instances where open source developers have publicly accepted some wrong doings but as with everything, there is always a darker side and who grantees that custom software is all pure and clean. At least within open source software one has the privilege to review and verify the complete source code and clear any security doubts. Can you do the same with closed source software when what you get is a bunch of binaries? What if one day you find that the vendor of the custom OS that you use has deliberately introduced some vulnerabilities so that the anti virus companies can survive and can mint money from you? :-)
So you see that bluntly saying that open source software is insecure is wrong. As open source software is doing excellent in real world today.