Perhaps I need a better understanding of what open source means, but how can a program that is openly publishing its code not be super vulnerable to cyber security threats. That’s like a bank publishing exactly how all it’s security works right? Obviously I’m missing something here, so ELI5!
In: 427
Open source is *not* safe in any universal sense. There are very many vulnerabilities in the total set of open-source code, and there are periodically vulnerabilities discovered even in major, widely-used open source packages.
Companies/governments that take security seriously will carefully audit any code they are considering using – whether it’s open-source or closed-source – and will establish its security risks before they use it.
There is, in fact, no real difference in security between enterprise and open-source code. These are, in fact, licensing distinctions, and do not pertain to the security or lack thereof, of a program. How do I know? Because Microsoft employs over 100,000 software engineers, who have the ability to read and modify source code. What’s preventing those people from either introducing their own vulnerabilities, or disclosing those vulnerabilities to criminals?
There are also techniques which permit people using software to pull apart compiled software and see how it is built. This is called a ‘decompiler’, and while it will not supply the same variable and function names, in fact, it is not possible to keep the function of computer software secret from the computer which has to run it.
There are good people and there are bad people.
Generally speaking, there are more good people than bad or we would have died out thousands of years ago.
The good people find and fix any vulnerabilities the small number of bad people might add.
Developer here.
Software isn’t inherently insecure just because we know how it works. Software becomes insecure when it can be forced by tactics not anticipated by a developer, to do things it wasn’t intended to do.
Hackers – the really good ones – have a deep understanding of how systems are made, and can recognize opportunities to exploit insecure code.
A large number of developers, building tools to detect and using their own expertise to detect and close these loopholes, is the best way to prevent exploits from being placed in the code, or from staying there later.
Open source provides – for the low price of being offered a chance to help keep the code safe – a license to use the software for themselves. Some open source licenses grant additional rights, but that’s the basic idea: alone we might write imperfect code, but together, we can make it better.
Edit: some nuance but same idea.
Latest Answers