mirror of
https://github.com/LCTT/TranslateProject.git
synced 2024-12-26 21:30:55 +08:00
164 lines
8.5 KiB
Markdown
164 lines
8.5 KiB
Markdown
|
[#]: subject: (Is Open-Source Software Secure?)
|
|||
|
|
[#]: via: (https://news.itsfoss.com/open-source-software-security/)
|
|||
|
|
[#]: author: (Ankush Das https://news.itsfoss.com/author/ankush/)
|
|||
|
|
[#]: collector: (lujun9972)
|
|||
|
|
[#]: translator: ( )
|
|||
|
|
[#]: reviewer: ( )
|
|||
|
|
[#]: publisher: ( )
|
|||
|
|
[#]: url: ( )
|
|||
|
|
|
|||
|
|
Is Open-Source Software Secure?
|
|||
|
|
======
|
|||
|
|
|
|||
|
|
Being someone who prefers [Linux for desktop][1] and encourages using open-source software, you may expect the answer to the question raised in the headline with a big “**Yes**“.
|
|||
|
|
|
|||
|
|
But I am not going to limit discussing the benefits of open-source software. Let us explore more!
|
|||
|
|
|
|||
|
|
Here, I plan to share my thoughts on if open-source software is secure and what are the things involved in it that make secure or insecure.
|
|||
|
|
|
|||
|
|
### Why Should You Care if Open-Source Software is Secure?
|
|||
|
|
|
|||
|
|
No matter whether you use [Linux][2] or any other operating system, you will be surrounded with open-source software in some way (directly/indirectly).
|
|||
|
|
|
|||
|
|
To give you an example, most of the proprietary software tools depend on some form of open-source libraries to make things work.
|
|||
|
|
|
|||
|
|
Furthermore, there is a reason why companies of various scale (including Google, Microsoft, and Facebook) rely on open-source software or contribute their resources to the open-source community in one way or the other.
|
|||
|
|
|
|||
|
|
Hence, the security of open-source software is something essential to know about.
|
|||
|
|
|
|||
|
|
### Myths About Open-Source Software Security
|
|||
|
|
|
|||
|
|
![][3]
|
|||
|
|
|
|||
|
|
While there are several arguments to pitch the cons of open-source software in terms of security, some of them just do not make any sense.
|
|||
|
|
|
|||
|
|
#### Anyone Can See & Exploit the Code
|
|||
|
|
|
|||
|
|
The code is accessible to everyone, yes. But just because you can see the code—does that mean anyone can exploit it?
|
|||
|
|
|
|||
|
|
**Not really.**
|
|||
|
|
|
|||
|
|
Even though anyone can create a fork (or copy) of the software, the original software cannot be manipulated easily.
|
|||
|
|
|
|||
|
|
Usually, the project maintainer (or a group of them) manage the code repository and accept the commits from contributors. The code is reviewed before approval. And no one can hijack the code just like that.
|
|||
|
|
|
|||
|
|
**It takes effort for an attacker to exploit a vulnerability or add malicious code in a software, no matter if it is open-source or closed source.**
|
|||
|
|
|
|||
|
|
#### Without Dedicated Resources, Security Breaks down
|
|||
|
|
|
|||
|
|
Many believe that without dedicated employees or a team for an open-source software, it is difficult to maintain security.
|
|||
|
|
|
|||
|
|
In contrast, with several types of contributors joining and leaving, the software gets more attention from a wide range of developers.
|
|||
|
|
|
|||
|
|
And they may be able to spot security issues better than a few employees assigned for a proprietary software.
|
|||
|
|
|
|||
|
|
Some projects from the likes of Mozilla have a dedicated team to effectively iron out security issues. Similarly, most of the successful open source projects have plenty of resources to dedicate for security.
|
|||
|
|
|
|||
|
|
Hence, the open-source software ecosystem is a mixed bag for security. Even without dedicated resources, the projects get help from various contributors, and some are profitable to a great extent which helps them dedicate more resources.
|
|||
|
|
|
|||
|
|
### Open Source Software is Secure: Here’s How
|
|||
|
|
|
|||
|
|
![][3]
|
|||
|
|
|
|||
|
|
Now that we have tackled the myths, let me highlight how open-source software deals with security issues.
|
|||
|
|
|
|||
|
|
In other words, the benefits in security with open-source software.
|
|||
|
|
|
|||
|
|
Not to forget, the perks of open-source software translate to some of the reasons why [Linux is better than Windows][4].
|
|||
|
|
|
|||
|
|
#### More Eyes Looking at the Code
|
|||
|
|
|
|||
|
|
Unlike a proprietary software, access to code is not limited to a few developers.
|
|||
|
|
|
|||
|
|
Some projects may even have thousands of developers watching the code, reviewing them, and flagging or fixing security issues.
|
|||
|
|
|
|||
|
|
And this gives an edge over closed-source software by having **the ability to identify issues quickly and addressing them as soon as possible.**
|
|||
|
|
|
|||
|
|
Not just limited to more developers, often enterprises get involved with open-source projects that they utilize. And when they do, they will also go through the code and review it.
|
|||
|
|
|
|||
|
|
This gives another source of external audit that may help improve the security of the software.
|
|||
|
|
|
|||
|
|
In contrast, with a closed-source software, a limited number of developers may not be able to find all kinds of security issues. And it may take them longer to fix all the issues one by one.
|
|||
|
|
|
|||
|
|
#### Community Decision Making to Prioritize Security Issues
|
|||
|
|
|
|||
|
|
The developers of a closed-source software may have certain restrictions and priorities as what to work on and when to resolve an issue.
|
|||
|
|
|
|||
|
|
However, in case of an open-source project, the community of contributors can prioritize and assign themselves what they want to work on and when to fix an issue. You do not need to depend on a vendor or follow their instructions to address a security issue.
|
|||
|
|
|
|||
|
|
The decision making that goes into addressing and fixing the security issues is more transparent and flexible in case of an open-source software. Hence, it can prove to be more effective leaving you with three specific benefits:
|
|||
|
|
|
|||
|
|
* **Transparency**
|
|||
|
|
* **No dependency on the vendor**
|
|||
|
|
* **Faster security updates**
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
### Open Source Software is not Bulletproof: Here’s Why
|
|||
|
|
|
|||
|
|
![][3]
|
|||
|
|
|
|||
|
|
While there are cases where open-source software may get an edge for security, there could be instances or factors that affects it.
|
|||
|
|
|
|||
|
|
It is important to acknowledge that these problems exist, accordingly, an enterprise or an individual can make better decision about the state of security for an open-source software.
|
|||
|
|
|
|||
|
|
#### Not enough Eyes to Review Code and Uncertainty
|
|||
|
|
|
|||
|
|
Even if the code is accessible the world of developers, there are chances that a **project does not have enough contributors/developers to thoroughly review the code**.
|
|||
|
|
|
|||
|
|
In that case, we cannot have great confidence of an open-source software being peer-reviewed, because it lacks exactly that.
|
|||
|
|
|
|||
|
|
The open-source software may “claim” to have the best security just because its open-source, which is misleading when there are not enough developers working on it.
|
|||
|
|
|
|||
|
|
Also, we do not know how many developers are looking/reviewing the code and how exactly the code walkthrough is going on.
|
|||
|
|
|
|||
|
|
For instance, the Heartbleed bug was spotted after 2 years of its introduction in a project that was already popular i.e **OpenSSL**.
|
|||
|
|
|
|||
|
|
#### Software Responsibility or Accountability
|
|||
|
|
|
|||
|
|
This may not be important for individuals, but an **open-source software often comes with no warranties**.
|
|||
|
|
|
|||
|
|
So, if a business uses it, they must take the responsibility of any losses or damages caused by the use of that software.
|
|||
|
|
|
|||
|
|
This is something that tells you that nothing can be 100% secure and bug-free. No matter how many eyes you have on a code, or how skilled the contributors are, there will be risks in some form, be it security or data loss.
|
|||
|
|
|
|||
|
|
And this brings us to the fact that open-source software is not bulletproof.
|
|||
|
|
|
|||
|
|
### Open Source May Have its Edge for Better Security But…
|
|||
|
|
|
|||
|
|
Nothing is superior when it comes to security. No matter if it is closed-source or open-source, the same set of principles apply when it comes to security.
|
|||
|
|
|
|||
|
|
There are various external factors that can affect the security of a software, and **many of those are not source dependent**.
|
|||
|
|
|
|||
|
|
The code must be monitored in the same way to keep things secure.
|
|||
|
|
|
|||
|
|
Yes, the **open-source approach introduces benefits that closed-source software will never have**, but that does not mean that it is bulletproof.
|
|||
|
|
|
|||
|
|
_What do you think about the state of security when it comes to open-source software?_ _Do you think it is superior to proprietary solutions?_
|
|||
|
|
|
|||
|
|
I would appreciate your valuable thoughts in the comments down below.
|
|||
|
|
|
|||
|
|
#### Big Tech Websites Get Millions in Revenue, It's FOSS Got You!
|
|||
|
|
|
|||
|
|
If you like what we do here at It's FOSS, please consider making a donation to support our independent publication. Your support will help us keep publishing content focusing on desktop Linux and open source software.
|
|||
|
|
|
|||
|
|
I'm not interested
|
|||
|
|
|
|||
|
|
--------------------------------------------------------------------------------
|
|||
|
|
|
|||
|
|
via: https://news.itsfoss.com/open-source-software-security/
|
|||
|
|
|
|||
|
|
作者:[Ankush Das][a]
|
|||
|
|
选题:[lujun9972][b]
|
|||
|
|
译者:[译者ID](https://github.com/译者ID)
|
|||
|
|
校对:[校对者ID](https://github.com/校对者ID)
|
|||
|
|
|
|||
|
|
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
|||
|
|
|
|||
|
|
[a]: https://news.itsfoss.com/author/ankush/
|
|||
|
|
[b]: https://github.com/lujun9972
|
|||
|
|
[1]: https://news.itsfoss.com/linux-foundation-linux-desktop/
|
|||
|
|
[2]: https://itsfoss.com/what-is-linux-distribution/
|
|||
|
|
[3]: data:image/svg+xml;base64,PHN2ZyBoZWlnaHQ9IjQzOSIgd2lkdGg9Ijc4MCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB2ZXJzaW9uPSIxLjEiLz4=
|
|||
|
|
[4]: https://itsfoss.com/linux-better-than-windows/
|