As I was sitting in class this week listening to the discussion of MySQL and the advantages of open source code, I couldn’t help but wonder what the downside was. I understand the benefits in terms of cost and the fact that it is probably better to have multiple eyeballs reviewing the code so as to identify bugs. In theory, this seems legitimate, but what about the issue of security?. Why would any company want to buy a program to store proprietary information knowing full well that the code is available for the whole entire world to view? It is almost like having a rare jewel in your house and publishing the floor plan on the Internet so that any potential robber would have ample time to review and formulate their plan before attacking.
When I got home, I looked a little further into this issue and found that my initial reaction was not entirely accurate. While there are a variety of arguments as to why open source code is a vulnerability, there are overriding factors as to why closed source code is a bigger threat. First, hackers don’t need to be given source code in order to gain access to it or do damage. According to the article "Security Model of Open Source Software,” hackers can utilize decompilers, black box testing, and reverse engineering to identify security holes. Secondly, when a company purchases software, they must take the developer’s word that there are no back doors. There is no way to verify this other than to actually look at the code. As a result, when we hear about vulnerabilities in the closed source world, it usually takes more time to come up with a fix because the problem must be funneled back through the developer, where as in the open source world, vulnerabilities are fixed in a shorter time period because more people can begin analyzing the problem immediately.
For other arguments in favor and against open source security, see the article “Is Open Source Good for Security.”
Any opinions on this?
Comments