This article caught my eye… Lasse Andresen of ForgeRock ponders why he thinks open source software is more secure than you think. I agree with many of his points however you need to understand a few things before reading his article and jumping all in to open source. First is my usual rant that “security” can’t be measured; it should instead be based on risk, which is at least somewhat measurable. Based on using this more measurable value, I would have rather seen this article titled “Open source software offers organizations less risk than you think.”
Now that we cleared up the terminology problem, the next issue to tackle is if his arguments hold up. Here I’ll fall back to my standard infosec response … it depends … and in this case it depends on risk as you might have guessed. If your organization has the resources to support open source software, then yes – using open source software is less risky. All of Lasse’s points fall into place nicely. But if you don’t have those resources or are not willing to invest in them, then in most cases using closed source software is probably the winner.
According to a recent survey by Black Duck Software, there are more than one million unique open source projects today, with a projected growth of around two million by 2014. Open source is growing in the enterprise, but oftentimes when people think of open source, they are concerned about the potential security issues. But, those security concerns are merely myths. So, what is the reality when it comes to open source software security?
The first myth is that open source software is vulnerable to security threats due to access to code, which is not evaluated thoroughly. The truth is that with open source code, a diverse developer community works together to forge the initial solution, but they also work together to solve problems and produce new releases. The result? Fewer bugs and quicker fixes. Further, users have the opportunity to evaluate and critique the actual code – not just how it works, but how it was written to work. Because of the nature of the open source community and the fear of losing credibility, developers take great caution in releasing code with their name on it. Since their work is open to a public audience for critique and evaluation, open source developers are constantly striving to develop a product that will earn them respect and credibility from their fellow open source peers.
The next challenge that needs to be addressed is the perception that open source is not “enterprise-ready.” Considering that companies like Google and Amazon have hundreds of thousands of enterprise customers who use their open source software and Red Hat, SugarCRM and Netflix are at the forefront of open source innovation, it is surprising that this myth still exists. Open source allows enterprises to customize solutions that meet their exact needs, without forcing them to fit into a pre-defined box to solve their IT challenges.
Today’s post pic is from Wikipedia.org.