Open source software (OSS) has gained a reputation for being more secure than proprietary software, but some experts disagree with such a broad generalization.
Most point to its open nature of development as a source of both security and flaws. In one camp are those who say the mass participation effort guards against malicious code inserted; the other side says the lack of penalties for insertion of such code may give hackers free reign to wreak havoc.
Laurent Lachal, senior analyst and open source director at Ovum, thinks OSS provides a similar level of security to that of proprietary software, and that enterprises should make educated decisions on the products they are looking to adopt.
Lachal told ZDNet Asia in an interview: "It is hard to generalize, but from a security point of view, OSS is on par with proprietary software."
|Five years ago, there was the prejudice that open source had security holes and issues with maturity and intellectual property rights. Today, it is the reverse. But the danger is to go with one or the other license just because of the principle, or ideology of software freedom.|
He explained that between the OSS universe of some 300,000 projects, it is not possible to say every project is safe.
"Security concerns have been an issue for companies for a long, long time. Five years ago, there was the prejudice that open source had security holes and issues with maturity and intellectual property rights. Today, it is the reverse--the generic assumption that OSS is cheaper is helping to drive adoption.
"But the danger is to go with one or the other license just because of the principle, or ideology of software freedom," he said.
With regard to security, companies have to make "business decisions based on fact".
"There are hundreds of thousands of OSS projects, and many of them have flaws. But the important software which are used by enterprises are [typically] supported by strong communities, which are very good at generating good, clean code, and also reacting quickly to issues spotted," said Lachal.
Companies that have chosen to adopt open source therefore should make provisions for OSS in their security processes, he added. "Some larger [projects] are secure with vendor support through updates and patches. But if you have a niche product that is unsupported by a large [open source] vendor, IT has to keep an eye on what's going on in the forums and in the community around it," said Lachal.
Daniel Ng, director of marketing at Red Hat Asia-Pacific and Japan, said the mass participation of developers examining code makes OSS safer.
"In the open source world, with over two million developers worldwide looking at the codes, it is not accidental that open source codes have [far] less error per 1,000 lines of code," said Ng, in an e-mail interview with ZDNet Asia.
Besides the open source universe, Red Hat sells support by certifying a set of applications and technology for enterprise use--a further layer of security, he said, in addition to the "inherently secure design of the Linux OS".
Furthermore, the impetus to develop good code in the open source community is driven out of "competition to develop the best software", said Ng.
Adding to this, is the notion of ownership in the community, according to Ridhi Sawhney, market analyst, Asia-Pacific software research at IDC Asia-Pacific.
Sawhney said in an e-mail interview: "For OSS, developers are [also] users. Open source can be trusted to a large extent."
While there are no specific penalties associated with inserting malicious code in the open source community, the regular examination of code by developers helps largely to weed out issues with successive patches and releases, he added.