Security concerns are the main reason why most companies and startups are hesitant to use open source software (OSS) in their projects. When part of a project’s code is open, it seems vulnerable to security threats and more likely to be copied. In this article we’re going to debunk some common myths about the security of open source solutions.

1. Anyone can read open code and take advantage of bugs

While open source code can be read and compromised in principle, in practice the situation is much more complicated.

First, according to expert opinion, people who break software don’t actually need to look at the source code. For an experienced developer there’s no need to dig into thousands of lines of code to find a vulnerable piece. So why do people claim that open source code is insecure?

In reality, any kind of code (closed source or open source) brings security threats to a product. Ultimately, it’s developers who make open source code secure or insecure; insecurities arise due to a number of mistakes such as:

• not following security guidelines
• improperly setting up software
• using easy passwords
• lack of data validation processes
• absence of data encryption techniques

The second reason why the situation is more complicated in practice is because the fact that anyone can read code actually increases your chances of finding and fixing bugs. Open source projects, as a rule, have vibrant communities that continuously support them and check them for flaws. Also, developers care about their reputations, and want to show off code that’s written in accordance with best practices and want to find and fix potential security vulnerabilities.

2. No financial incentive means no motivation to make OSS secure

Actually, many successful open source products have become profitable for the teams behind them. For instance, Mozilla gets a significant part of the revenue from Firefox for user click-throughs on search page ads. Most projects of this caliber have their own security response teams dedicated to patching vulnerabilities.

In the case of open source tools that aren’t profitable, when a vulnerability is found, the open source project team will usually either immediately fix it (since their reputation is at stake), or disclose the issue publicly so that all those implementing the code can take appropriate measures — for example, switching off the vulnerable functionality or setting other hardware and software to avoid using the affected functionality until it’s fixed.

As far as the motivation to develop open source software is concerned, each individual developer in the OSS community is motivated to offer a high-quality product with no major flaws in order to prove their own competence. On the other hand, businesses are often limited in many ways (money, time, business objectives, etc.), and thus may actually limit the amounts they invest in product security. Because open source developers are personally motivated to work on the projects they select, the result is a thorough development process with fewer vulnerabilities in public releases.

Originally published here 

Open Source Software Security