Tech
Paid Content : This paid content was written and produced by RV Studios of Red Ventures' marketing unit in collaboration with the sponsor and is not part of ZDNET's Editorial Content.

Open source software: The question of security

The transparent nature of open source software does not make it any more vulnerable than closed systems, experts argue.

The logic is understandable - how can a software with source code that can easily be viewed, accessed and changed have even a modicum of security?

opensource-security-question
Open source software is safer than many believe.

But with organizations around the globe deploying open source solutions in even some of the most mission-critical and security-sensitive environments, there is clearly something unaccounted for by that logic. According to a November 28 2013 Financial News article, some of the world's largest banks and exchanges, including Deutsche Bank and the New York Stock Exchange, have been active in open source projects and are operating their infrastructure on Linux, Apache and similar systems.

As with any technology, security remains an important point with open source software, but not to the extent to which many people believe.

Open source software - safer than you think

According to Dr. Ian Levy, technical director at the UK's Communications-Electronics Security Group (CESG), too many people get caught up in the fact that the source code is open for all to see - and forget that this does not make it any more vulnerable than closed software.

"If I look at how people break software, they don't use the source code," he explained in an April 23, 2013, ZDNet article.

"If you look at all the bugs in closed source products, the people that find the bugs don't have the source, they have IDA Pro, it's out there and it's going to work on open and closed source binaries."

In fact, it could be one of open source software's greatest benefits - its transparency - that makes it a more appealing option than proprietary offerings. There is a saying known as "Linus' law" that says "given enough eyes, all bugs are shallow.” As the source code is available for all to access and modify, there is a large global community of developers who are constantly keeping tabs on the software to find ways of improving it. This includes scoping out bugs and other vulnerabilities in the code, which can then be fixed, enabling the software to be continuously improved. This level of universal collaboration and monitoring is often not available with closed source software.

This level of universal collaboration and monitoring is often not available with closed source software.

That said, there is no software system in the world that is completely risk-free and doesn't come without its security considerations. So what are some ways to make your open source infrastructure as secure as it can be?

Safety best practices in the open source environment

Before implementing any open source software, it is imperative to perform a thorough evaluation to assess any flaws or risks that may potentially arise. This will help you invest in the most stable solution for your needs and reduce the risk of vulnerabilities cropping up down the line. Your development team should be deeply involved in this process, looking at the history of the open source project to identify any past issues and assess the likelihood of further problems in the future.

It is also important to enact an enterprise-wide IT security policy, perhaps even a separate one dedicated to open source. Such policies should outline best practices in maintaining the integrity of the open source infrastructure and be flexible enough to adapt and change according to circumstances.

Open source software is certainly much more secure than its detractors would like to believe, and further breaking this myth could be the key to enabling its continuous development and growth.

———————————————————————————————————————————————————

To learn more about the business benefits of Red Hat Enterprise Linux, download this complimentary whitepaper.

Editorial standards