Can open source be secure?
The debate by IT security experts regarding the use of open source in a business environment, and the impact of this on IT security, is a mature one. Experts do not agree about open source security in terms of whether there is an advantage or disadvantage to its use in the business world.
The reality of open source security is that open source has its advantages and disadvantages. The most widely used argument for not using open source is the additional layer of security through obscurity a closed application provides.
This argument is misleading. An open source operating system contains many thousands of lines of code, and the complexity of reading and understanding the entire open source code and then spotting and exploiting vulnerabilities in the code is an arduous task that is difficult and often requires highly specialist knowledge.
On top of that, when speaking to many open source users, penetration testers and hackers, you could count on one hand the number that would even be interested in reading and understanding such large applications. They prefer to use the open source operating systems and the plethora of tools that have already been written to test closed source applications. It’s just that much easier.
Although the argument for security through obscurity is a powerful one, its significance is overplayed within the open source debate as a serious attempt to find a system vulnerability begins with the attacker writing a specific application to look for system vulnerabilities – a tactic that works equally well on open and closed source systems.
Open source in business can offer organisations a significant advantage and should not be overlooked because of concerns over security. Although this is an important issue to any organisation, data and system security can be equally or more secure with an open source system than the alternative.
Both open and closed source systems have advantages and disadvantages. Although security experts are unlikely to unanimously agree on the best route for an organisation to take, it is critical that organisations protect their most important asset, their data, regardless of which path they take.
Can open source be secure in business? Yes – but organisations should not rush into an open source system without considering all of the other issues that come as part of the package. Ultimately open source is a moving target, closed source is a stationary target – both are targets that need protecting.