TranslateProject/sources/talk/20210718 Is Open-Source Software Secure.md

164 lines
8.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

[#]: subject: (Is Open-Source Software Secure?)
[#]: via: (https://news.itsfoss.com/open-source-software-security/)
[#]: author: (Ankush Das https://news.itsfoss.com/author/ankush/)
[#]: collector: (lujun9972)
[#]: translator: ( )
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
Is Open-Source Software Secure?
======
Being someone who prefers [Linux for desktop][1] and encourages using open-source software, you may expect the answer to the question raised in the headline with a big “**Yes**“.
But I am not going to limit discussing the benefits of open-source software. Let us explore more!
Here, I plan to share my thoughts on if open-source software is secure and what are the things involved in it that make secure or insecure.
### Why Should You Care if Open-Source Software is Secure?
No matter whether you use [Linux][2] or any other operating system, you will be surrounded with open-source software in some way (directly/indirectly).
To give you an example, most of the proprietary software tools depend on some form of open-source libraries to make things work.
Furthermore, there is a reason why companies of various scale (including Google, Microsoft, and Facebook) rely on open-source software or contribute their resources to the open-source community in one way or the other.
Hence, the security of open-source software is something essential to know about.
### Myths About Open-Source Software Security
![][3]
While there are several arguments to pitch the cons of open-source software in terms of security, some of them just do not make any sense.
#### Anyone Can See & Exploit the Code
The code is accessible to everyone, yes. But just because you can see the code—does that mean anyone can exploit it?
**Not really.**
Even though anyone can create a fork (or copy) of the software, the original software cannot be manipulated easily.
Usually, the project maintainer (or a group of them) manage the code repository and accept the commits from contributors. The code is reviewed before approval. And no one can hijack the code just like that.
**It takes effort for an attacker to exploit a vulnerability or add malicious code in a software, no matter if it is open-source or closed source.**
#### Without Dedicated Resources, Security Breaks down
Many believe that without dedicated employees or a team for an open-source software, it is difficult to maintain security.
In contrast, with several types of contributors joining and leaving, the software gets more attention from a wide range of developers.
And they may be able to spot security issues better than a few employees assigned for a proprietary software.
Some projects from the likes of Mozilla have a dedicated team to effectively iron out security issues. Similarly, most of the successful open source projects have plenty of resources to dedicate for security.
Hence, the open-source software ecosystem is a mixed bag for security. Even without dedicated resources, the projects get help from various contributors, and some are profitable to a great extent which helps them dedicate more resources.
### Open Source Software is Secure: Heres How
![][3]
Now that we have tackled the myths, let me highlight how open-source software deals with security issues.
In other words, the benefits in security with open-source software.
Not to forget, the perks of open-source software translate to some of the reasons why [Linux is better than Windows][4].
#### More Eyes Looking at the Code
Unlike a proprietary software, access to code is not limited to a few developers.
Some projects may even have thousands of developers watching the code, reviewing them, and flagging or fixing security issues.
And this gives an edge over closed-source software by having **the ability to identify issues quickly and addressing them as soon as possible.**
Not just limited to more developers, often enterprises get involved with open-source projects that they utilize. And when they do, they will also go through the code and review it.
This gives another source of external audit that may help improve the security of the software.
In contrast, with a closed-source software, a limited number of developers may not be able to find all kinds of security issues. And it may take them longer to fix all the issues one by one.
#### Community Decision Making to Prioritize Security Issues
The developers of a closed-source software may have certain restrictions and priorities as what to work on and when to resolve an issue.
However, in case of an open-source project, the community of contributors can prioritize and assign themselves what they want to work on and when to fix an issue. You do not need to depend on a vendor or follow their instructions to address a security issue.
The decision making that goes into addressing and fixing the security issues is more transparent and flexible in case of an open-source software. Hence, it can prove to be more effective leaving you with three specific benefits:
* **Transparency**
* **No dependency on the vendor**
* **Faster security updates**
### Open Source Software is not Bulletproof: Heres Why
![][3]
While there are cases where open-source software may get an edge for security, there could be instances or factors that affects it.
It is important to acknowledge that these problems exist, accordingly, an enterprise or an individual can make better decision about the state of security for an open-source software.
#### Not enough Eyes to Review Code and Uncertainty
Even if the code is accessible the world of developers, there are chances that a **project does not have enough contributors/developers to thoroughly review the code**.
In that case, we cannot have great confidence of an open-source software being peer-reviewed, because it lacks exactly that.
The open-source software may “claim” to have the best security just because its open-source, which is misleading when there are not enough developers working on it.
Also, we do not know how many developers are looking/reviewing the code and how exactly the code walkthrough is going on.
For instance, the Heartbleed bug was spotted after 2 years of its introduction in a project that was already popular i.e **OpenSSL**.
#### Software Responsibility or Accountability
This may not be important for individuals, but an **open-source software often comes with no warranties**.
So, if a business uses it, they must take the responsibility of any losses or damages caused by the use of that software.
This is something that tells you that nothing can be 100% secure and bug-free. No matter how many eyes you have on a code, or how skilled the contributors are, there will be risks in some form, be it security or data loss.
And this brings us to the fact that open-source software is not bulletproof.
### Open Source May Have its Edge for Better Security But…
Nothing is superior when it comes to security. No matter if it is closed-source or open-source, the same set of principles apply when it comes to security.
There are various external factors that can affect the security of a software, and **many of those are not source dependent**.
The code must be monitored in the same way to keep things secure.
Yes, the **open-source approach introduces benefits that closed-source software will never have**, but that does not mean that it is bulletproof.
_What do you think about the state of security when it comes to open-source software?_ _Do you think it is superior to proprietary solutions?_
I would appreciate your valuable thoughts in the comments down below.
#### Big Tech Websites Get Millions in Revenue, It's FOSS Got You!
If you like what we do here at It's FOSS, please consider making a donation to support our independent publication. Your support will help us keep publishing content focusing on desktop Linux and open source software.
I'm not interested
--------------------------------------------------------------------------------
via: https://news.itsfoss.com/open-source-software-security/
作者:[Ankush Das][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://news.itsfoss.com/author/ankush/
[b]: https://github.com/lujun9972
[1]: https://news.itsfoss.com/linux-foundation-linux-desktop/
[2]: https://itsfoss.com/what-is-linux-distribution/
[3]: data:image/svg+xml;base64,PHN2ZyBoZWlnaHQ9IjQzOSIgd2lkdGg9Ijc4MCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB2ZXJzaW9uPSIxLjEiLz4=
[4]: https://itsfoss.com/linux-better-than-windows/