The use of open source components is booming. According to analyst firms such as Forrester, Gartner, and 451 Research, 80-90% of all commercial software developers use open source components and make them an integral part of their software.
However, following recent security vulnerability events such as Heartbleed, Shellshock, and Poodle, the debate over security of open source components has intensified.
In this post, I would like to make the claim that open source components are often more secure than the average commercial closedsource software.
Here are my arguments:
1. Many more eyes are looking to find and fix problems. One of the arguments used by opponents of open source components has been that since the code is open, it’s easier for hackers to find security vulnerabilities and other weak points. The counterargument is that the same problems are likely to be discovered, faster, by white hat hackers, contributors (many open source projects have hundreds or thousands of contributors), and users (even if most open source users are not reviewing the code when they first adopt it, they may do so if and when they encounter bugs, or want to modify the code to their needs).
2. Open source projects fix vulnerabilities and release patches and new versions a lot faster. When vulnerability in an open source project is reported, especially if it’s a high severity one, a fix is often released within a day or two. In contrast, commercial vendors necessarily have longer update cycles. The reasons for that are many:
Security researchers often complain that it can take months and even years for some vendors to address a vulnerability they have discovered. And if it takes long to fix and release, customers remain exposed.
3. Practically all commercial software uses a healthy chunk of open source, but in many cases it is not appropriately managed.
Modern commercial software developers do not reinvent the wheel. They develop their own capabilities on top of (quite a lot of) open source components, which often make up over 80% of the total lines of code. Thus, commercial software is already susceptible to open source vulnerabilities. Unfortunately
In fact over 95% of vulnerable open source components found in 6450 commercial software projects researched had newer versions that fixed the problem.
How can all this help you build better software?
1. Don’t reinvent the wheel. Whenever possible, use open source components to build better products. The products will be safer than if you develop everything on your own (and have to fix your own bugs and security issues), or if you rely on a third-party commercial vendor with limited resources.
2. Know what you are using. Most open source components rely on other components (dependencies). You need to track all these components
3. Track the public security vulnerability databases (CVEs) to be immediately aware of issues in open source you use, and be quick to patch whenever a fix is available.
And of course you can use Mend.io to do all this for you, automatically and effortlessly.