Open source brings many advantages to enterprises, such as pricing. However, in increasingly security-conscious enterprises it can be unclear how open source software does on cyber security.
CBR looks at some of the major security pros and cons.
The main advantage of open source from a security perspective is the vast community that contributes to open source software.
The sometimes thousands of pairs of eyes mean that the software is subject to stringent and thorough examination from dedicated coders.
Additionally, security companies can use their vast resources to look at the code. For example, many of the major vulnerabilities in the Android operating system such as StageFright have been found by professional cyber defence companies.
Proprietary software, on the other hand, may only pass through three or four tests before it is shipped to customers.
As well as finding security vulnerabilities that might be exploited by hackers, open source also guarantees a degree of transparency with the security vendor themselves.
For companies that are extremely concerned about privacy, this means that they can be completely sure that there are no ‘backdoors’ in the products.
Since open source software can be modified by whoever wants to, this gives individuals and organisations unlimited scope to tailor the security of a piece of software to their own needs.
Organisations may have differing priorities or requirements, and may wish to harden a particular part of a software product to guarantee they have covered this.
It also means that software can be tailored to meet differing compliance requirements, for example when used in different countries.
Open source can also speed up the update process, as the community of developers can quickly fix a bug and issue an updated version of the software.
The users are then able to choose whether to use this fix or wait for an official version.
This prevents the update having to go through the company and means users can take more control over updating their software.
The cons of open source security are in many ways the mirror image of the pros. The fact that the source code can be viewed and modified by anyone also means that attackers can scan the code for vulnerabilities.
Opinion is divided on whether this disadvantage outweighs the advantages. While the community of coders involved in open source can be huge, bringing the advantages of the ‘wisdom of crowds’, it is not guaranteed that that these large numbers of people will be inspecting every single bit of code.
All of this depends on the level of sponsorship a piece of software receives. If it is a small number of people looking at the code, they may be outfoxed by a team of dedicated hackers.
Again, while any security professional is able to edit open source software according to their needs, it is also possible that open source software could be manipulated by a hacker. For example, the hacker could distribute malware by embedding malicious code into the original open source distribution.
The basic open source programme might perform the same useful features and look much the same as the real software, but with malware embedded in it.
The fact that open source software is often available to download from many different locations on the web can make it harder for users to tell whether they are getting the programme they wanted.