There are some people won’t touch anything to do with open source projects as they feel it might have issues with security. What does open source actually do for security or change how it works?
In college I was told over and over that SECURITY BY OBSCURITY IS NOT ACTUALLY SECURITY. So using thoroughly tested and examined security techniques from open source software is the gold standard.
There are known secure algorithms that cannot be cracked by modern computers. So, no reason to try and reinvent the wheel and just hope your way is better despite decades of refinement and research into modern open algorithms.
@ZenFriedRice @SamXavia I remember back in '98 getting in an argument over this with the company’s chief architect. Finally had him back down when after he claimed “no professional security company just publishes their source code” I then replied “well, actually RSA BSAFE is distributed with all source.”
@ZenFriedRice security by obscurity may not be security, but it is one of the tools to reduce hacking attacks, like changing the SSH port for example
People who don’t touch open source are mouth breathers. So next time someone says they won’t use it because it’s FOSS, you know who the weakest link in the building is.
As others have mentioned, it’s more secure code because it’s freely available. With closed source, you have no idea whats going on.
Look at it this way. FOSS is like a real safe. You can see it. Touch it. Kick it. Punch it. Closed source is like a blanket and I tell you there’s a safe under there. No you can’t touch it or see it. Trust me tho, there’s a safe.
Which would you store your money in?
In fairness, this is only the case when people are actually inspecting the code. That safe could be a cake that looks like a safe, but if nobody tastes it there is no real benefit (in terms of security at least)
It’s a harder con to build a real looking fake safe, hoping no one will actually test it out, then just lying about what’s behind a curtain no one is allowed to look behind.
the reason why many companies try to avoid using open source software is support. they usually can’t throw money at the creator to fix their problems or create custom solutions for them. which is kind of not accurate anymore today.
The reality is that virtually all widely used modern codebases contain at least some open source code (source).
It doesn’t really. In theory more eyes on the code means more chance for a security bug to be found, either by white hat researchers or black hat exploiters. In practice this doesn’t really pan out; not only are most free software projects small hobbyist endeavors, but even large free software projects with many eyes on them, such as OpenSSL and curl, have had critical security vulnerabilities over the years. When it comes to security issues, having the right eyes on the code matters more than having many eyes.
The original promise of free software, the four freedoms, is all it guarantees. In my opinion this is enough to prefer free software over proprietary.
Isn’t your OpenSSL and curl points proving the opposite? Every program will have vulnerabilities and they had critical security vulnerabilities that were found and fixed.
But yes, I agree that 95% of open source projects have absolutely 0 security testing. Might not matter for some embedded applications, but it matters a great deal for public facing container plugins for example. Then again, most closed source software also hasn’t been pen tested.
Good point, finding a security vulnerability is a success not a failure.
In my opinion it makes a project even more secure. Many eyes are able to inspect the code and review it for known and unknown vulnerabilities. It is a cat and mouse game anyway, you might as well broadcast all the flaws in hopes of people catching them and helping to fix them.
@PrecisePangolin Thanks, this explains it really well.
I think the argument is usually
If bad people see the code, they can spot vulnerabilities and exploit them
But I that’s not really how it works because it doesn’t cost anything to try an exploit. People generally aren’t going to look through the code to try and spot a weakness when they can just run an automated thing to attempt common vulnerabilities. Open source, closed source, bad code will fail the same.
I see it as a lock. With open source, you know how the internal mechanism is supposed to work and you can judge how secure it is. With closed source, someone says “trust me” and doesn’t show you how the inside works. It could just be a “if something metal is inserted, unlock the system”.
Ultimately the best thing is to look for open source software that’s been audited. If no one has checked the FOSS code, then you don’t actually know it’s safe. Once that’s happened, best of both worlds.
One other concern might be “if it’s open source, then everyone can see my password!”
Which is just… wrong
Oh and in practice, companies might pick a closed source paid product over a free and open source one.
But it’s not the product, it’s the legal/financial agreements. Companies like to externalize the risk instead of taking it on themselves. They like being able to sue someone if things go wrong.
The other company might be running the FOSS software too. They’re taking on the responsibility.
Oh and finally, a lot of open source products and protocols are used by closed source companies.
ex. Signal protocol is used by Facebook for some things