Open Source : Open but Secure?
This week, I read the article Open source software security challenges persist by Maria Korolov (https://www.csoonline.com/article/3157377/application-development/open-source-software-security-challenges-persist.html). This article discusses how open source software development has grown more popular for use by companies in the recent years, with these companies often using open source software as the foundation of systems of commercial software because of its cheap price and security benefits. But as recent Equifax security breaches have shown, which involved open source programs falling victim to brute force password attacks, it seems that the security of open source software should be examined closely to determine it’s true effectiveness. Despite the Equifax breach, open source software usually has the reputation of being very secure, and is even seen as having security advantages over closed source software. This is because there are more “eyes” looking at the code to check for security flaws, and also because open source software can be opened and fixed by the current user immediately, whereas closed source software usually has to be fixed by the vendor of the software. But, on the other hand, open source code is used by many at a massive scale, in the scale of billions of lines of code, and in reality the entirety these open source projects are not being reviewed by the community for security errors. Often, companies don’t even know what open source components comprise their products, and it can be a challenge to know that these open source components have been found to be flawed and are in need of updates, potentially compromising the entire security of a product if this is not done. The proposed fix for this problem, since self updating software isn’t always possible, is to use other programs like Black Duck and Snyk that scan these open source codebases and find packages and components that have security flaws.
This article touches upon many of the same topics and ideas as the class reading from this week titled Hacker Practice by E Gavriella Coleman and Alex Golub. In the Hacker Practice article, the ideals that open source software is based upon, these being mainly freedom and efficiency, are discussed. Furthermore, Hacker Practice discusses how many proponents and supporters of open source development claim that “open source is a superior ‘development model’ for making software, in contrast to traditional approaches that used copyrights and patents” (Hacker Practice pg. 262). These two articles provide an interesting parallel to each other, as Maria Korolov’s article provides a quantitative, and real world example based, analysis of the effectiveness of open source software security, whereas Hacker Practice provides an analysis of the ideologies and morals that form the groundwork of open source development, and in theory offer very secure software. Overall, I think both of these analyses are important during this time of rapid and widespread shifts to open source development in the software industry, and think they are both essential to ensure the world’s software infrastructure remains secure and well functioning.
