Eli5: Why can’t open source software easily be hacked?

828 views

Typically a source code leak is a safety danger. But with open source applications it is available from the start. How do you prevent people from intruding when all safety measurements can be plainly seen?

In: 6

21 Answers

Anonymous 0 Comments

A source code leak should not reduce the security of your application. You should instead build a secure application from the start so that even if an attacker have the source code they can not find any way to attack it without the secret keys. And attackers have the resources to reverse engineer machine code and even hardware chips, while regular researchers might not. So the idea of security in open source software is to allow everyone to look at the source code and find potential problems. This way you find more issues which might potentially be used by at attacker and fix those issues before they can be exploited.

As an example a lot of police and military services have switched to using an encrypted radio called TETRA. All the source code and technical descriptions of this is kept secret and have even been made illegal to possess. So a security research group at a university for example are not allowed to study it. Recently such a group, working for the public interest, did publish their finding after having studied the system using limited funds. And they found a number of different security issues and even a few possible attacks. These have been there for over 15 years and nobody knew about them because nobody studied them enough. Not even the services who bought this system. But it is fair to say that some state actors would have put this much effort into researching TETRA. And they would have probably been able to spend a lot more resources on it, acquire radios and technical documentation in non-legal ways, and deploy attacks against the system in the wild to test them.

If the source code had been available from day one it would have been much easier to research it. So research groups with limited resources would have been able to study it the same way as state actors. We would have found these issues when it was launched when it could have been easily fixed rather then years later when it have been widely deployed and might have already been exploited.

You are viewing 1 out of 21 answers, click here to view all answers.