Three Myths Debunked About Open Source Software Security

Author: Ievgen Cherkashyn

Security concerns are the main reason why most companies and startups are hesitant to use open source software (OSS) in their projects. When part of a project’s code is open, it seems vulnerable to security threats and more likely to be copied. In this article we’re going to debunk some common myths about the security of open source solutions.

1. Anyone can read open code and take advantage of bugs

While OS code can be read and compromised in principle, in practice the situation is much more complicated.

First, according to expert opinion, people who break software don’t actually need to look at the source code. For an experienced developer there’s no need to dig into thousands of lines of code to find a vulnerable piece. So why do people claim that OS code is insecure?

In reality, any kind of code (closed source or open source) brings security threats to a product. Ultimately, it’s developers who make OS code secure or insecure; insecurities arise due to a number of mistakes such as:

  • not following security guidelines
  • improperly setting up software
  • using easy passwords
  • lack of data validation processes
  • absence of data encryption techniques
  • 2. No financial incentive means no motivation to make OSS secure

    Actually, many successful open source products have become profitable for the teams behind them. For instance, Mozilla gets a significant part of the revenue from Firefox for user click-throughs on search page ads. Most projects of this caliber have their own security response teams dedicated to patching vulnerabilities.

    In the case of open source tools that aren’t profitable, when a vulnerability is found, the open source project team will usually either immediately fix it (since their reputation is at stake), or disclose the issue publicly so that all those implementing the code can take appropriate measures — for example, switching off the vulnerable functionality or setting other hardware and software to avoid using the affected functionality until it’s fixed.

    As far as the motivation to develop open source software is concerned, each individual developer in the OSS community is motivated to offer a high-quality product with no major flaws in order to prove their own competence. On the other hand, businesses are often limited in many ways (money, time, business objectives, etc.), and thus may actually limit the amounts they invest in product security. Because open source developers are personally motivated to work on the projects they select, the result is a thorough development process with fewer vulnerabilities in public releases.

    Originally published here Three Myths Debunked About Open Source Software Security