The use of open source components is booming. According to analyst firms such as Forrester, Gartner, and 451 Research, 80-90% of all commercial software developers use open source components and make them an integral part of their software.
However, following recent security vulnerability events such as Heartbleed, Shellshock, and Poodle, the debate over security of open source components has intensified.
In this post, I would like to make the claim that open source components are often SAFER than the average commercial closedsource software.
Here are my arguments:
- Many more eyes are looking to find and fix problems. One of the arguments used by opponents of open source components has been that since the code is open, it’s easier for hackers to find security vulnerabilities and other weak points. The counterargument is that the same problems are likely to be discovered, faster, by white hat hackers, contributors (many open source projects have hundreds or thousands of contributors), and users (even if most open source users are not reviewing the code when they first adopt it, they may do so if and when they encounterbugs, or want to modify the code to their needs).
- Open source projects fix vulnerabilities and release patches and new versions a lot faster. When vulnerability in an open source project is reported, especially if it’s a high severity one, a fix is often released within a day or two. In contrast, commercial vendors necessarily have longer update cycles. The reasons for that are many:
- Commercial vendors may have fewer people working on a given project
- Commercial vendors prioritize software updates based on commercial and financial considerations
- Many commercial vendors still haverelease cycles of 6-12 months, so even if a vulnerability is fixed it may take long to release the fixed version to the market
- If the open source is developed by a commercial company, high visibility creates urgency to fix issues, and may even lead to better code in the first place.
Security researchers often complain that it can take months and even years for some vendors to address a vulnerability they have discovered. And if it takes long to fix and release, customers remain exposed.
- Practically all commercial software uses a healthy chunk of open source, but in many cases it is not appropriately managed. Modern commercial software developers do not reinvent the wheel. They develop their own capabilities on top of (quite a lot of) open source components, which often make up over 80% of the total lines of code. Thus, commercial software is already susceptible to open source vulnerabilities. Unfortunately
- Many commercial vendors do not properly track and manage the security of their open source components (try to ask your vendor for anupdated list of open source components)
- As explained above, if the commercial vendor does not release often, fixes to bugs and vulnerabilities take a long time to make their way into the released product
- Popular open source projects are less likely than commercial closed source software to include bugs and security vulnerabilities.
- Popular open software projects are likely to fix bugs andvulnerabilitiesand release the fixes faster than commercial software.
WhiteSource, a company that creates solutions to manage open source licenses, shows that over 95% of vulnerable open source components found in 6450 commercial software projects researched had newer versions that fixed the problem.
How can all this help you build better software?
- Don’t reinvent the wheel. Whenever possible, use open source components to build better products. The products will be safer than if you develop everything on your own (and have to fix your own bugs and security issues), or if you rely on a third-party commercial vendor with limited resources.
- Know what you are using. Most open source components rely on other components (dependencies). You need to track all these components
- Track the public security vulnerability databases (CVEs) to be immediately aware of issues in open source you use, and be quick to patch whenever a fix is available.
And of course you can use WhiteSource to do all this for you, automatically and effortlessly.