Open Source Security

Safe and unsafe.

A report

says that Open Source Software is more vulnerable than Closed Source:

Advocates of the open-source process often claim that their products are more

secure thanks to the larger number of people poring over the code

This is one of the most widespread fallacies about Open Source code. 

The truth is that Open Source developers spend much more time writing code than

reading it.  And it makes sense, right?  You are most likely

contributing to an Open Source project to have some fun on your spare time, and

what fun is there in trying to make sense of code written by an unknown

developer living probably on a different continent than yours?

Since there is no fun in doing that, there needs to be an incentive, like

money.  The bottom line is that fixing security flaws in Open Source software can

only happen if the project is backed by a company that is actually paying a

salary to the members of the project, and if the said company has a clear

interest in having this security hole plugged.

Short of having that, Open Source is just as unsafe as Closed Source is. [Otaku, Cedric’s weblog]

Yes. All source code has the potential for security flaws. The real differentiator for open source is the sheer speed with which flaws are tackled once discovered. Its usually on the order of days. Compare the amount of time it takes the FreeBSD team to release an operating system patch once a hole is found with, say, your favourite proprietary desktop operating system.

Open source projects also tend to generate more loyalty and pride of workmanship from their developers, so a higher level of care tends to be taken over the work. Paraphrasing (poorly) from somewhere, you’re only as good as your last commit. When all the world can see your code, bad as well as good, would you not be a little more hesitant about releasing cruft?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s