Open source software projects have long been celebrated for their role in driving innovation, their low cost to users, their potential for customization and more. At the same time, many people remain skeptical of the security of such projects, assuming that the total accessibility of the code makes it easier for attackers to find weaknesses or even actively implant malicious changes to the code base themselves.
However, many experts suggest that open source can be safer than closed projects because it incorporates more code review and developers can resolve issues more quickly. Some have suggested that it would benefit large projects such as Oracle’s Java to go open source and leverage their user communities to improve security.
Why open source works for security
Although many people tend to think of open source projects as using a collaborative, amateur-driven environment similar to Wikipedia that allows anyone to make changes, this type of ad hoc tinkering is not a common approach, a recent SC Magazine article noted. Open source projects tend to be large undertakings mostly managed by professionals working for companies that make money from the software in some way, and new additions are generally submitted to peer code review before they are entered.
Paul Wander, co-founder of open source web development company Inviqa, told the publication that security ultimately comes down to the quality of a piece of software, and the ambition and scope of open source projects generally means that they are high quality undertakings being handled by talented engineers. Lamar Bailey, director of security research and development at nCircle, agreed, adding that large communities create particularly strong projects due to having more expert eyes looking over the code for issues.
“Popular open source software packages with hundreds of contributors reviewing and modifying the code are more likely to be secure because some of the contributors are probably security-savvy, so the likelihood that they will find and fix security issues is high,” Bailey told SC Magazine. “Less popular open source software with fewer contributors may not undergo the same scrutiny and may be more likely to contain easily exploitable vulnerabilities.”
Another quality of open source projects is that their large user communities drive rapid evolution of the software, and security issues are addressed more quickly, Rafael Laguna, CEO of software company Open X-Change, told SC. Although quality can vary according to how robust the user community is and how many people are actively contributing, open source projects generally involve similar resources to closed ones and augment security by bringing in more eyes.
“If the same people with the same skills, using the same processes, were to produce software under both a proprietary model and an open source model, the results would likely be the same,” Laguna said. “Open source projects, however, can have the advantage of a peer review from a large community of knowledgeable supporters, and this cannot be understated.”
Drawing on open methodologies
In a recent post, InfoWorld columnist Simon Phipps suggested that Oracle could benefit from bringing in a larger user community to help address the widespread security issues in Java. Phipps noted that the company’s current approach to security barely involves even trusted partners, making it difficult for changes to be validated or integrated into other products before they are released. Although Oracle has a very talented security staff, its approach means that the burden of finding, fixing and testing errors falls on this group alone. The company could be one in particular to benefit from bringing in additional labor, as much of its work is in paying off a long-time “technical debt” in Java that comes from before Oracle owned it.
“Proprietary projects are often forced to be solely feature-focused, prioritizing customer needs and marketing schedules over the gruntwork of keeping the code clean,” Phipps wrote. “Open source projects with a large and healthy community are in a much better position to bypass the problem of technical debt, as community members will often pour enthusiasm and expertise into resolving the backlog.”
While going open source does not make sense for many companies, adopting the same mindset of constant review that involves a large network of collaborators and expert eyes can be valuable for strengthening code, catching errors and eliminating technical debt. Instead of relying on a large user community, smaller or more sensitive products can enlist third-party code review tools and services.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.