I’m all for open source software so it can be understood, developed, and used by more people than if it was proprietary. However, I don’t get how it can be secure if malicious actors have access to the source code and the entire software package to practice their attacks against?
In: Engineering
The idea with open source software is that the code is published and visible to all.
This makes it a lot harder for a malicious actor to introduce code because someone else on the team will no doubt catch it and block or remove it.
The more eyes you have on a project, the less likely problematic code will be introduced.
Secure software is by definition software that isn’t vulnerable even if you know exactly how it works. If you rely on attackers not knowing your source code, you just expose yourself to getting dabbed on by an expert reverse engineer who *likes* digging through decompiled C garbage.
If a piece of Open Source Software is actually widely used enough to be worth attacking, then odds are it’s a big enough project to have a lot of eyes on it. There are likely more eyes looking for and securing those holes than there are bad actors who are looking for them and abusing them.
Ultimately the biggest attack vector is people slipping in contributions with intentional vulnerabilities. This is a thing that *has* happened. However, that is something that also exists in closed source software. For example, in 2020, SolarWinds’ Orion platform was hacked and used to exploit the systems it was deployed on. This is a closed source software, and it involved someone getting a job there and getting to a position to introduce the exploit.
[deleted]
Vulnerabilities can be discovered much faster since the code is out in the open.
Take iOS, for example… Apple does a tremendous job advertising its security (and keeping the source code secret), and yet hackers and companies like NSO quickly find ways to break it (ask yourself how that happens).
In the latter case, most exploits are never made public.
Security that depends on obscurity is not security at all.
A secure system is one that is still secure even when the attacker knows exactly how it works.
[removed]
Here is the real ELI5 answer.
People who make open source software REALLY like open source software, and do EVERYTHING they can to make it as secure as possible so it can continue to be open source and available. If a vulnerability were found, they would fix it immediately so no one could take advantage of it.
Just because you have the instructions on how to build the safe, doesn’t mean you know the combo to a safe.
Open source is even better because by making those instructions public, people who notice a way to break the safe will bring the issue up so your next version of the safe is even more secure.
Open source software is the same idea.
It’s much harder to replace your algorithm than your keys.
When software is open, it can by definition not rely on people not knowing the algorithm.
Latest Answers