The Myth of Open Source Security

Last Updated: August 21, 2021
An author of the open source Mailman program explains why open source is not as secure as you might think — using security holes in his own code as an example.
The Myth of Open Source Security
EarthWeb is reader-supported. When you buy through links on our site, we may earn an affiliate commission.

The thing about open source software projects is that they can be a lot more secure than close source projects.

In saying this, though, the things that make open source programs safe, like being able to access the source code, and the reality that there are a huge number of people that can fix holes in the security system, can also be cause for a false sense of security.

The idea of open source being protected and safe comes from the idea that there are many people looking at it.

With many people looking at a program’s source code, then surely security issues are a lot more likely to be located and eradicated, right?

Why do programmers choose to look at source code? For the most part, it’s for selfish reasons – they have found open source software that they find helpful, and they want to adjust it to suit their personal needs.

Sometimes, the source code attract scepticism to make sure that it meets certain requirements, even when the person has no intention of doing anything to it.

Brands that need a high level of online security, for example, might review the code as part of their general security audit. Of course, this could be done for any software product where the source is open to the public.

The thing about source code is that it can also attract the attention of the programmer, for reasons of personal gain.

There are some people that might hope to find security issues within code, so that they can create a name for themselves in the security network.

Perhaps they have an altruistic side, and they want other people to know about any security issues.

There are many programmers out there that are willing to share information about security breaches and sources of vulnerability, including posting this information to a mailing list so that it’s not so out in the open.

The reality is, there is always going to be someone feeling sceptical about source code, because they want to locate something that nobody else has.

You Might Not Always See it

When people are motivated to scrutinize a source code for whatever reason, it is easy to make the assumption that the open source software has been carefully looked over, and as a result it is safe. However, this isn’t necessarily true.

There are actually a lot of things that can discourage people from looking at a source code. Of course, one reason for this could be that it looks like a huge mess, and you can’t be bothered unravelling it.

When source code is hard to understand and decipher, then naturally there are going to be fewer people looking at it.

People that use source code programs are likely to look at the source code when they think they see something that they would like to be different.

Sadly, this doesn’t necessarily mean that the program gets a free security audit, it just has people looking at certain parts of it that they want to change.

A lot of the time, this is just a tiny part of the entire source code. The other thing is that if someone is distracted with the idea of adding something to the source code they aren’t necessarily on the lookout for security breaches.

A lot of the time, software developers have a habit of ignoring security completely, and then trying to attach it at a later date.

Or, even worse, there are some programmers out there that don’t actually know all that much about security. There are a lot of programmers out there that know a little bit, but many of them don’t understand as much as you might think, certainly not enough to keep the source code secure.

An example of this is that it’s common for developers to use cryptography, but it’s also common for them to misapply it, which could end up destroying the security of a system completely.

It’s also common for programmers to accidentally add information leaks to the program. This way, the encryption weakens, and it can easily be infiltrated and broken.

In general, cryptographic protocols are a lot more complicated than you might think, and can easily be gotten wrong.

Way Too Trusting

So, despite what is conventional in terms of programming wisdom, the reality of lots of eyes on a source code doesn’t necessarily make it more secure. This is likely to make people at least feel like it is secure.

As a result, the open source community in general becomes way too trusting.

When you’ve got source code that is trusted by the community as a whole, the risk of it being hacked or phished by someone who knows what they’re doing becomes greater, and then the entire system can be taken down easily, without too much trouble.

This is why it’s important that a company is able to school its programmers on what good security looks like when it comes to source code, and how to implement good security measures, so that when they go in to change something about the source code, these security measures aren’t weakened in any way.

Having a secure source code is numero uno when thinking about maintaining a good level of security around all of your company’s data online.

Featured Posts

[wp_show_posts id="10136"]

Stay on top of the latest technology trends — delivered directly to your inbox, free!

Subscription Form Posts

Don't worry, we don't spam

Written by Bobby

Lifestyle / Tech / Business. Love it!