This week, as I was working with a client discussing an open-source software solution versus a closed-source licensed one, the question arose whether or not open-source software is secure.
At first, I thought of a facepalm emoji. But, I took a moment and realized that this is still an area of confusion for many. So this week, I am going to quickly give my thoughts on whether or not security concerns and open-source software are something we should consider as a non-starter issue when discussing the merits of specific software packages.
In no particular order, I want to discuss a few thoughts that come to mind when addressing this question. First, let's start with a clarification that all too often people seem to forget.
Open Source is a License Model, Not a Necessarily a Methodology.
I find that often people are confused about what "open-source" means. The fact is, it's a licensing model and not a particular coding or technical methodology. There are no unique techniques or tricks that make software open-source. It is typically a community of coders who choose to build, maintain, and iterate a software package with the purpose of making it freely available for the world to use via a specific type of license model. Those coders are more likely than not to be identical in skill, quality, and quality than those crafting proprietary software.
Compare this against popular closed-source software packages built and maintained by private companies and then sold or licensed to end-users. These companies invest in the development and iteration of their software packages, and from there, they support them as well. These two models differ primarily in terms of your "ownership" of the code that powers these particular platforms. For some businesses, this doesn't matter much, as the license model means little to their day to day concerns. For others, it matters much. But for security, remember that the term "open-source" doesn't mean anything concerning how safe a software package it may or may not be. It merely means that the license makes it freely available for use and modification, and it is primarily supported by a community, not a private company. (Though, keep in mind, companies routinely open-source their products and allow the community to take it from there)
Misconception: Since Anyone Can Access the Code, Therefore They Can Easily Compromise It
This is a common thought I hear from clients: "If the code is freely available, can't anyone analyze and therefore take advantage of it?"
In all honesty, the best hackers aren't often looking at the source code of the systems they are trying to manipulate. So typically, this isn't even an issue. The fact is, almost any code can be infiltrated or manipulated. So how does open-source software compare?
In Truth: Open Source Code is More Scrutinized and More Transparent
Yes, you read that right. Because of mass adaptation, open-source software is scrutinized at a higher level than closed-source systems. And, on top of that, you have higher levels of accountability. The fact is, more and more companies and even governments are using open source solutions. This means these systems are being regularly scanned and amended for security concerns. When concerns are found, the community is quick to respond with patches and updates, which typically come out very quickly.
Despite what many may think, proprietary, licensed software isn't necessarily more secure. The companies that provide such software do not have to detail the security flaws they find or are patching as they release updates to their systems. The amount of transparency from those vendors is simply not comparable to open source communities who often quickly find and patch security flaws as they are found. You could not even be aware of a problem with your software until a patch is produced, and even then, you may not know precisely what happened under the hood that required a patch in the first place.
Who Invests More Effort?
One area to also consider is who puts more time and effort into software development, and what motivations do the parties have? In the case of open-source software, you have a deep community of coders working together to build these platforms and make them available. Frequently, they push back deadlines and anticipated launch dates to get things right. In the closed-source world, "shipping" is everything. As such, deadlines must be kept regardless of the pros or cons of shipping software despite perhaps not being in a finished state. But no one ever really knows, because there isn't always transparency in the license model.
So Why Does Open Source Have a Bad Rap?
This is a tough question, but I think it's a bit of a combination of a few factors. First, you have the fact that there is a much higher amount of installed open-source software out there than proprietary solutions. You'll have more installations of WordPress on the open internet than say, Sitecore. As such, many more people are seeking to manipulate, often via automated bots. Sadly, many people using open-source platforms do so to save money, and they may not be adept at securing them to industry standards. They don't budget for updates and run into security hassles later.
Secondly, you have the transparency issue, as explained above. Since we hear more about open-source security updates, we have a recency or availability bias that makes us believe that the software is indeed less safe. This is a common heuristic that we shouldn't discount, but trust me, all software has its security issues at times, not just open-source.
Finally, the bad rap is also because software vendors use it as a sales ploy. "Don't trust XYZ, because it's open-source, and you know they have security concerns." Sadly, this tactic is all too often used, even despite being dramatically misguided.
Need a Vendor? No Problem!
I feel another misunderstood element of open source is the idea of who supports it. For example, take Drupal as a Content Management System (chosen not for any reason other than I have probably mentioned WordPress in almost every other blog post!). Drupal is a highly capable CMS with the ability to handle sophisticated document models and large-scale deployments. Should an enterprise consider this package off-the-shelf?
Well, being an open-source guy by heart, I'd say yes – they should. But I understand that the enterprise has different requirements and as such, they must meet specific criteria, one of which is the support of a qualified vendor. In this case, it doesn't mean Drupal is a non-starter. It just means that you need to consider an enterprise-scale partner capable of formalizing it to a corporate standard. In this case, you have Acquia, which has done a great job of transitioning Drupal into a Gartner Magic Quadrant leader in content management.
Drupal isn't alone, either. Other offerings such as WordPress VIP have done the same thing, taking open source projects to the next level and making them enterprise-friendly. These products essentially nullify any arguments against the open-source approach in the enterprise based on the feature set and support provided as part of the offering.
Wrapping Up
Open source projects have a lot of things going for them. They have the freedom to push deadlines to get things right, the honesty to report their findings even when there may be a security flaw, and a higher standard of accountability for their community and end-users. As such, the idea that open-source software is risky from a security perspective is not entirely accurate and may be opposite the truth.
My recommendation is to understand that from a risk perspective, open source may carry slightly higher risk and as such, it should be known from the get-go that you must consider maintenance as a serious budgetary line item. Luckily, almost every open-source software package can reach levels of compliance on par with proprietary systems. So, the implementation of audits and remediation to assure compliance with written security standards should be a good starting point to ensure a secure environment regardless of the software package you have chosen.
Due diligence put towards the solution in mind, and an ongoing maintenance plan in place, enterprises should feel comfortable that open-source technology is a safe and secure place to place their trust and invest their budgets. In many cases, the speed to market, lower ongoing development costs, and agility in adapting to market conditions and requirements make open-source, in more cases than not, the better choice.