On Open Source and Security

We provide Linux and Open Source software consulting.  Sometimes, a potential client tells us « we don’t use Open Source software because security is important for us ».

The proprietary industry has been spreading FUD claims on Open Source software for a long time — claims that have been regularly debunked.

In fact, if security is your primary concern, you should switch to Open Source software, as it’s the only model that gives you full control on your own computers.

The whole idea that publishing source code makes it less secure is a myth: security through obscurity never worked, and never will.  In fact, making the source code available to public scrutiny not only results in code that is better, more well-structured, and more robust; it also results in allowing any developer to spot flaws on it and contribute with a patch.

On the other hand, with proprietary code you must blindly trust the vendor on it.  This has crucial implications especially in the domain of security.  Did the vendor use a strong algorithm for encryption, or did they use a flawed one?  Or – even worse – did they implement their own proprietary cryptographic algorithm?  Even if they used the correct cipher, is the implementation correct, or does it have bugs?  Does it leak plaintext data?

With Open Source software, being able to inspect the source code means that you know what is running on your machines.  You lose this benefit when you use proprietary software.  There’s even the possibility that the security of the program has been deliberately crippled, for instance by installing a master password.  If a government agency asks the vendor to put a backdoor on their product, you can be sure they will comply; they have nothing to gain and everything to lose in resisting such a request.  After all, nobody can see the code but them.

Proprietary software is distributed in such a way to make it as opaque as possible.  EULAs usually prevent you from trying to understand (by reverse engineering) what the program does. Some EULAs even forbid you to publicly discuss security vulnerabilities in the program.  And when a security vulnerability is eventually found in a proprietary software, you can only wait and hope that the vendor fixes it.

Most security flaws in Open Source software are discovered and patched within a very short time.  On the other hand, Microsoft provided in 2014 a bugfix for a bug that was 19 years old.  In 2015, they fixed another bug that was 15 years old.  And a 2007 Google survey found out that, while the market share for Apache webservers was three times higher than for Microsoft IIS, they had an equal number of compromised webservers on the Internet.

Of course, this does not mean that any Open Source program X is always better than a proprietary program Y.  The quality of code in Open Source software also varies (it is usually positively related to size and importance of the project), and it’s even possible to introduce obfuscated malicious code in it.  However, all things considered, Open Source software is more secure for your business, while at the same time giving you many other advantages unmatched by their proprietary counterpart.