Skip to main content

Open source software and security

There has been much public debate on the security merits (or weaknesses) of open source software when compared to proprietary software. These debates have frequently been driven by emotional arguments triggered by the numerous high visibility worms and viruses that have exploited vulnerabilities in desktop systems to disrupt networks.

Open source advocates have argued that open source software is inherently more secure because fixes for uncovered design flaws are quickly distributed and made available. They further argue that early and intense code review promotes the development of better quality code.

The counter argument is that, while it may be true that bugs are fixed more quickly in Open Source, a collaborative, community-based development model is not a replacement for a sound system design.

Proprietary software advocates have argued that open source software is inherently less secure because hackers have access to the software intended to protect system data and can easily find and exploit existing design flaws.

While keeping secrets usually does not hurt security, secrecy of the source code or security methods (security by obscurity) provides weak protection and therefore does not support the argument in favor of proprietary software.

Deploying a clearly visible, strong door lock can protect a house much better than hiding an unlocked door behind a bush and hoping that burglars cannot break in because they cannot find the door. An encryption method should protect the data even when its algorithm is well-known.

As any security expert will attest, the security of a system is directly related to the quality of its intrinsic design and the procedures governing its operation.

So, with regard to supporting security policies, components of your IT infrastructure should be selected based on the soundness of their design, the commitment to security demonstrated by the vendor, and the functionality required to support those policies, not the software development model that produced it.

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website building and web hosting when DHTML and frames were en vogue and started writing about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium. Following an eight-year stint at ITProPortal.com where he discovered the joys of global tech-fests, Désiré now heads up TechRadar Pro. Previously he was a freelance technology journalist at Incisive Media, Breakthrough Publishing and Vnunet, and Business Magazine. He also launched and hosted the first Tech Radio Show on Radio Plus.