Why is open source software assumed to be secure?
-
Ape alone... weak. Apes together... strong.
Now I’ve got an image in my head of apes sitting around in the jungle using laptops
-
The code being public helps with spotting issues or backdoors.
In practice, "security by obscurity" doesn't really work. The code's security should hinge on the quality of the code itself, not on the amount of people that know it.
The code being public helps with spotting issues or backdoors.
A recent example of this is to see the extent that the TALOS group had to do to reverse engineer Dell ControlVault impacting hundreds of models of Dell laptops. This blog post goes through all of the steps they had to take to reverse engineer things, and they note fortunately there was some Linux support with publicly available shared objects with debug symbols, that helped them reverse the ecosystem. Dell has all this source code, and could have identified these issues much more easily themselves, but didn't and shipped an insecure product leaving the customers vulnerable.
-
Now I’ve got an image in my head of apes sitting around in the jungle using laptops
Fixing back door exploits multiple code repositories
-
Zero day exploits, aka vulnerabilities that aren't publicly known, offer hackers the ability to essentially rob people blind.
Open source code means you have the entire globe of developers collaborating to detect and repair those vulnerabilities. So while it's not inherently more secure, it is in practice.
Exploiting four zero-day flaws in the systems,[8] Stuxnet functions by targeting machines using the Microsoft Windows operating system and networks, then seeking out Siemens Step7 software. Stuxnet reportedly compromised Iranian PLCs, collecting information on industrial systems and causing the fast-spinning centrifuges to tear themselves apart.[3] Stuxnet's design and architecture are not domain-specific and it could be tailored as a platform for attacking modern SCADA and PLC systems (e.g., in factory assembly lines or power plants), most of which are in Europe, Japan and the United States.[9] Stuxnet reportedly destroyed almost one-fifth of Iran's nuclear centrifuges.[10] Targeting industrial control systems, the worm infected over 200,000 computers and caused 1,000 machines to physically degrade.
Stuxnet has three modules: a worm that executes all routines related to the main payload of the attack, a link file that automatically executes the propagated copies of the worm and a rootkit component responsible for hiding all malicious files and processes to prevent detection of Stuxnet.
The whole Stuxnet story is fascinating. A virus designed to spread to the whole Internet, and then activate inside a specific Iranian facility. Convinced me that we already live in a cyberpunk world.
-
I support free and open source software (FOSS) like VLC, Qbittorrent, Libre Office, Gimp...
But why do people say that it's as secure or more secure than closed source software? From what I understand, closed source software don't disclose their code.
If you want to see the source code of Photoshop, you actually need to work for Adobe. Otherwise, you need to be some kind of freaking retro-engineering expert.
But open source has their code available to the entire world on Github or Gitlab.
Isn't that actually also helping hackers?
One thing to keep in mind is that NO CODE is believed to be secure…regardless of open source or closed source. The difference is that a lot of folk can audit open source whereas we all have to take the word of private companies who are constantly reducing headcount and replacing devs with AI when it comes to closed source.
-
I support free and open source software (FOSS) like VLC, Qbittorrent, Libre Office, Gimp...
But why do people say that it's as secure or more secure than closed source software? From what I understand, closed source software don't disclose their code.
If you want to see the source code of Photoshop, you actually need to work for Adobe. Otherwise, you need to be some kind of freaking retro-engineering expert.
But open source has their code available to the entire world on Github or Gitlab.
Isn't that actually also helping hackers?
wrote last edited by [email protected]It's not more secure or less secure, but it is easier to trust
-
I support free and open source software (FOSS) like VLC, Qbittorrent, Libre Office, Gimp...
But why do people say that it's as secure or more secure than closed source software? From what I understand, closed source software don't disclose their code.
If you want to see the source code of Photoshop, you actually need to work for Adobe. Otherwise, you need to be some kind of freaking retro-engineering expert.
But open source has their code available to the entire world on Github or Gitlab.
Isn't that actually also helping hackers?
Somewhat of a different take from what I've seen from the other comments. In my opinion, the main reason is this:
Companies have basically two reasons to do safety/security: Brand image and legal regulations.
And they have a reason to not do safety/security: Cost pressure.Now imagine a field where there's hardly any regulations and you don't really stand out when you do security badly. Then the cost pressure means you just won't do much security.
That's the software engineering field.
Now compare that to open-source. I'd argue a solid chunk of its good reputation is from hobby projects, where people have no cost pressure and can therefore take all the time to do security justice.
In particular, you need to remember that most security vulnerabilities are just regular bugs that happen to be exploitable. I have significantly fewer bugs in my hobby projects than in the commercial projects I work on, because there's no pressure to meet deadlines.And frankly, the brand image applies even to open-source. I will write shitty code, if you pay me to. But if my name is published along with it, you need to pay me significantly more. So, even if it is a commercial project that happens to be published under an open-source license, I will not accept as many compromises to meet deadlines.
-
I support free and open source software (FOSS) like VLC, Qbittorrent, Libre Office, Gimp...
But why do people say that it's as secure or more secure than closed source software? From what I understand, closed source software don't disclose their code.
If you want to see the source code of Photoshop, you actually need to work for Adobe. Otherwise, you need to be some kind of freaking retro-engineering expert.
But open source has their code available to the entire world on Github or Gitlab.
Isn't that actually also helping hackers?
Its relatively easy. First of all if someone would implement a backdoor its much easier to find out, since you can look at the code directly. Second is, that a lot of people actually do this. Looking at the code of projects and searching for ways to find security holes in it.
So even if it isn't that much more secure than closed source, its much easier to trust simply because people can search for vulnerabilities much easier.
One great example of why open source code is easier to realise backdoors would be the xz Security breach.
-
I support free and open source software (FOSS) like VLC, Qbittorrent, Libre Office, Gimp...
But why do people say that it's as secure or more secure than closed source software? From what I understand, closed source software don't disclose their code.
If you want to see the source code of Photoshop, you actually need to work for Adobe. Otherwise, you need to be some kind of freaking retro-engineering expert.
But open source has their code available to the entire world on Github or Gitlab.
Isn't that actually also helping hackers?
With open source code you get more eyes on it. Issues get fixed quicker.
With closed source, such as Photoshop, only Adobe can see the code. Maybe there are issues there that could be fixed. Most large companies have a financial interest in having "good enough" security.
-
I support free and open source software (FOSS) like VLC, Qbittorrent, Libre Office, Gimp...
But why do people say that it's as secure or more secure than closed source software? From what I understand, closed source software don't disclose their code.
If you want to see the source code of Photoshop, you actually need to work for Adobe. Otherwise, you need to be some kind of freaking retro-engineering expert.
But open source has their code available to the entire world on Github or Gitlab.
Isn't that actually also helping hackers?
One thing people tend to overlook is:
Development costs money. Fixing bugs and exploits costs money.In a closed source application none will see that your software is still working with arcane concepts that weren't even state-of-the-art when written 25 years ago.
The bug that could easily be used as an exploit?
Sure, the developer responsible for it did inform his manager around 50 times he needs time and someone from the database team to fix it.
And got turned down 50 times as it costs time and "we have to keep deadlines! And none noticed this bug so far,so why should now notice now?"
