Blog Post
Is Open Source More Secure than Proprietary Software?
Interestingly enough, the absence of Source Code makes no longer possible to find out what a piece of software is actually doing. This is a huge avenue for vulnerabilities (and other nasties) to reside.
Open Source vs. Proprietary Software
Millions of users routinely engage in a high level of trust when using Proprietary Software. The problem of blind trust can become a major issue when the subject is software. Proprietary software doesn’t allow users to inspect the source code. This creates a situation where the user has to hope that everything in the code functions as promised.
Only the vendor is capable of fixing any code that is discovered to be broken or faulty on a closed source product. This can be difficult for a user who is already accustomed to verifying code before trusting the product. It’s also an issue for users who are willing to pay others to verify the source code. In general, the problem with closed source code is that there are only a limited number of people reviewing it, and this makes errors more possible. Essentially, close sourced products can’t be verified, and the code can only be fixed by the vendor.
Security professionals who discover problems in closed source code might also face internal pressures to not report the problem. Threats of litigation can deter people who do find errors or bugs from reporting them, and this creates an internal culture that can be hostile to security professionals.
Comparing Open Source
The same thing is true for open source software products like the the popular 3D program, Blender. Trust is necessary for users who expect the code to work as promised. There is no way to tell if the code is more secure than a closed source product, but the user is perfectly able to go into the code and take a look.
If a problem is discovered, the user can either fix it directly or give it to someone else who knows how to fix the bug. Open source code allows users to verify the code or pay someone to perform this verification. The code can be fixed by the user without the intermediary step of contacting the vendor for the solution.
Compounding Security Risks
Vulnerabilities also require an open connection in order to exploit. Instead of focusing on what point to begin trusting the code’s integrity, this argument seeks to point out that most of the vulnerable openings occur much later in the process anyway. For example, routers filter out many threats before they ever make it onto the system.
Evaluate the trustworthiness of the software based on the big picture instead of the details. For example, the framework of advantages compared to disadvantages is a more useful way of viewing the situation. Consider the advantage of the open source software code. It can be reviewed by anyone. However, the disadvantage is that the people looking at the code might choose to exploit a vulnerability instead of report the problem to get it corrected.
Vulnerability Scanners and Cybersecurity
End users are in the position where they have to trust that the source code was fixed instead of exploited, and this remains true whether the source code is open or closed. Other failures account for a much higher percentage of security flaws than the selection of open or closed source code.
Examples include the data validation process, encryption, password security and following generally accepted security guidelines. Some of these problems can be detected by a Vulnerability Scanner such as SCANDABLE, but others require more in-depth scrutiny to uncover. Cybersecurity is a constant balancing act with different priority levels and risks involved.
Trust and Software
The issue of software security boils down to the issue of trust. Trust must begin at some point along the chain, so users need to evaluate the whole situation with this in mind. Developers are always concerned about maintaining a good reputation and this is an area where open source tends to out-perform proprietary software.
Volunteers who care about the quality of the project will put their expertise to work in order to make it successful. To download any software product requires the user to engage in a level of trust that is unprecedented within the context of the digital age.