Is Open Source Software Secure?

March 31, 2010 | by Toni Ellison | Posted in CMS, Web Development

The debate rages on. Which type of software is more secure: open source (source code is open for public editing and viewing) or closed source (source code is kept secret by the company that produced it) software? I have been an open-source developer for over 10 years. I have contributed to open source projects, worked on web servers built on open-source kernel,s and my last two home computers have been Macs, which are built on FreeBSD, an open source operating system. I have never had security issues with my computer or website as long as I always followed through on doing the recommended security updates. Hackers are smart and persistent. That’s why I am grateful to open source communities that protect their code and the users that use it.

I recently heard this statement:

“[open source blog] in our opinion is way too common of a system that is open source and ’free’ which lets people spends hours going through the code and finding exploits.”

Hackers are going to exploit software no matter if it is open source or not, but when code is available for everyone to view there are many more people that are able and willing to fix those exploits and close the security vulnerability. Fixes can be rolled out within hours or days. When closed-source software is exploited only a small set of developers in that company is familiar enough with the problem to fix it. Updates take months to roll out to the public, leaving your computer or website open to hackers for longer than necessary.

Last a year another worm was making its way through the Internet, targeting Wordpress blogs. A security update was issued, and Wordpress users were notified to upgrade their software. Three outcomes happened:

1. Users ignored the warning; the worm attacked their site.
2. Some users instead of doing the simple upgrade (all it takes is a click of the mouse), they dug down into their code and changed the version number. FYI, the worm is smarter than that.
3. Users did the upgrade and their site was protected.

Many people purchase and install virus protection software for their computers. Pretend Joe installs his new software and declares his computer impervious to attack from worms and viruses. Time goes by and Joe never updates his virus software. His computer then becomes vulnerable to the ever-changing viruses on the Internet. It doesn’t make sense to hope that one software change will protect you for as long as you own your computer. The Internet lives and evolves, and we must evolve with it. Updating software is the best way to stay strong when the virus attacks.

Balance uses open-source software on many client sites. It helps keeps costs down. We are diligent in doing security scans to keep sites secure. We support the open source community.