“An open door house or closed door house.” Which one is more secure? Most of us will say that the closed door house is more secure. Yes, you’re probably right or wrong !! This actually depends on the way you look at it.
Now just consider the house as a software and then ask which one is more secure, open source or closed source?
With the evolution of the digital world, everyone is expecting enhanced security, reliability, low cost, better performance and easy to use software. To fulfil the need we are leaning more towards open source tools, libraries, compilers, language packs etc. When the complete code is open to all how it can be safe and secure from the attackers where attackers will have detailed knowledge about the source used in products. Do you think it is worrisome?
But interestingly, open source products are getting more popular day by day rather closed source products. For example, let’s take two most used and branded operating systems i.e. Windows and Linux. Everyone will say, Linux is much more secure than Windows.
The reason behind the Linux better security is its open to all and resilience to new vulnerability & challenges. Here resilience is about bug detection, solution preparation, fixing and retest for closure. In Linux, as the source is accessible to all, everyone gets a chance to do research on it and able to find and correct the flaw in it. Whereas, in Windows OS, the source code is only accessible to a closed group of employees and accordingly has limited potential to find and fix issues in it. In terms of solution preparation Linux has an open community to discuss and adopt the best solution. Even during fix and retest, it holds the same flexibility. In contrast, Windows OS doesn’t hold the same flexibility in solution design and fixing. As a result, it obviously holds a time delay in vulnerability fixing. Any leak of such information from the researcher will pose a real threat to all the Windows OS users.
Let’s move beyond the OS level. In the flooded market of an open source, everyone chose the easily accessible code library to match the demand. In contrast, others follow the branded vendor software for better authenticity.
As a whole, both models have advantages and disadvantages while using or integrating, but open source has a better hold than closed software. Certainly, some security optimization has to be done while adopting open source in software development. Here are few best practices which will help to improve the security standard of the software.
- Use of latest version of open source
- Continuous security checks for any new 0-day vulnerability
- Removal of unwanted libraries and functions
- Verifying authenticity of the open source
- Source code scanning with standard security regulation
- Get a security report from open source software vendor
- Before using open source libraries have a dependency check with OWASP Dependency-Check
Authored by Ajit Kumar Meher
TCS Enterprise Security and Risk Management
Rate this article: