5 Common open source security myths everyone needs to know
Karl Hopkinson-Turrell
April 24, 2020
0 mins readOpen source is an extremely popular way for large enterprises, small businesses—even individuals and hobbyists—to acquire technology. Simply locate the open source dependencies that appear to address your personal or business computing dilemma, download, and install.
Even large companies are taking advantage of open source programs to enhance their portfolio of enterprise applications. Still, everyone needs to know the myths and facts related to open source security.
Several authorities raise concerns that the open source direction is not the right course for a future and flexible business model.
Open source has its benefits—and misconceptions
One misconception about open source is that it is free. That may be true for many programs, but others require licensing.
Licensing lets the true owner of the code know who is using the software, and also allows for notification to users when changes or updates are available. Much open source software is signed by the author so that users can verify the origin and authenticity of the code.
There are many reasons for the popularity of open source:
Rapid development by using existing open source libraries
Ease of deployment
Minimal investment in developer resources
Community base for problem resolution and questions
A significant benefit to open source is that users can freely look at the code, understand the details of its functions, and make any appropriate changes to suit their use. This may include updates to add or improve security provided by the code.
5 common open source security myths
Along with the popularity of open source, come many—not that accurate—concerns on the security of applications based on the use of available open source programs and functions.
1. Open source programs are less secure than proprietary software
Knowing that open source code can be read by anyone may introduce the thought that a hacker can analyze the code to find its vulnerabilities, then exploit them at will.
Truth: In reality, the fact that many users have read the code in detail means that any flaws or potential weaknesses are likely to be uncovered more quickly. With proprietary software, users rely on the vendor and their partners for any security processes that involve source code (e.g. static analysis tools, manual code review etc.). They also rely on them for a timely patch and interim mitigations.
In the case of open source security, it can be argued that with many users reviewing code, security “holes” will be detected more readily. With potentially hundreds of users of any given open source program, it only takes one discovery of a security problem to raise the issue to the author or open source community.
2. Open source code integrity is questionable
With many developers contributing to the creation of open source projects, the code may be expected to be confusing, haphazard, or even below quality or performance standards. This will make further modifications more difficult or time-consuming.
Truth: The contrary is more often the case. With many developers reviewing open source program objects, there are continuous enhancements and improvements incorporated in the code. Most developers pride themselves on programming skills, and approach modifications with intention to improve the code and yes, correct security vulnerabilities. Rather than resulting in code that is difficult to read, open source code may see improvements in both structure and performance.
3. Open source is just a fad that won’t last—security is an afterthought
Granted, initially, it was not obvious that open source software would become so prevalent, popular, and relied upon by companies, or that they would accept the security and operational risks of using external code in their products. However, things have turned out quite differently.
Truth: On top of the enormous growth of open source libraries and the vast number of open source projects and communities, surveys indicate that most organizations have either adopted or are considering the use of open source software. However, along with the many users of open source comes scrutiny of reliability, performance, and security. But with the evolution of the open source, the ecosystem expanded to include vendors focusing on those issues, offering targeted solutions. Snyk’s goal, for example, is to help developers use open source and stay secure—continuously find and fix vulnerabilities for npm, Maven, NuGet, RubyGems, PyPI and much more.
4. Open source has less support
When selecting a software for home, business, or enterprise applications, one consideration is support and enhancements. If support is lacking, open source may not be the best choice. There may be little reaction when vulnerabilities or flaws are discovered. This can result in application failures or downtime.
Truth: Admittedly, support in open source is usually 'best endeavors' from volunteers (the maintainers and the community). However, many companies commercialize open source by offering paid support plans, so that businesses can get tailored, rapid and expert support when they need it.
5. Externally developed code is inherently riskier
Without direct input or oversight from the business acquiring the code, open source quality is a critical unknown, with the potential for code errors, inefficiencies, and security gaps. Best practices are far from guaranteed.
Truth: The transparency provided by open source allows a thorough examination of code for efficiency, quality, and vulnerabilities. There are many sets of eyes examining open source for usability, compliance with best coding practices, and even logic problems. Amateurs write many open source programs, but simple code reviews can reveal code that is not appropriate or acceptable for an organization. This may add an extra step in selection and deployment, but it may well be more beneficial than internal development.
Putting open source security myths to rest
Open source security risks and best practices can be managed by cautious selection and evaluation of objects before integration into application portfolios.
For organizations considering investing in open source functions, sign up for a free Snyk account to check out how easy it is to use open source vulnerability scanner to detect vulnerabilities in your code. With Snyk you can further minimize risk and promote application security.
Get started in capture the flag
Learn how to solve capture the flag challenges by watching our virtual 101 workshop on demand.