Security's future belongs to open source

It's really not a debate question, it's just the way it is. The world runs on Linux and open-source software.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

The public was with me in my argument that Heartbleed didn't prove the open-source development model was insecure, but the judge rules against me. Eh, I'm not hurt. More than readers agree with me, almost all of technology agrees with me. 

Open source is the way to security in today's world.

You see, while Heartbleed was open source's worse security hour, it was an exceptional case. Outside of Apple and Microsoft, everyone, and I mean pretty much everyone, has already decided that open source is how they'll develop and secure their software. Google, Facebook, Yahoo, Wikipedia, Twitter, Amazon, you know all of Alexa's top ten Websites in the world, rely on open-source software every day of the year.

They do it because Eric S. Raymond was right when he wrote in the essay that got open source started, "The Cathedral and the Bazaar," that "Given enough eyeballs, all bugs are shallow."

The problem with Heartbleed was that no one—no, not even the NSA—looked at the code. The failure wasn't with the open-source method, it was that no one bothered to apply it to OpenSSL.

The proof that open source, properly applied, is secure is available. Studies, such as the one recently done by Coverity, have found that open-source programs have fewer errors per thousand lines of code than its proprietary brothers. And, it's hard to ignore the Communications-Electronics Security Group (CESG), the group within the UK Government Communications Headquarters (GCHQ) that assesses operating systems and software for security issues, when they said that that while no end-user operating system is as secure as they'd like it to be, Ubuntu 12.04 is the most secure desktop.

On the other hand, the mere existence of Microsoft's monthly Patch Tuesday says everything most of us need to know about how "secure" proprietary software is. I also can't help noticing how every time Microsoft releases a new version of Internet Explorer (IE), they always claim it's the most secure ever. And, then, a new hole is found, and guess what, that same security hole is in every version of IE from IE 6 to IE 11. If IE really were being rewritten to make it secure why are the same holes showing up In Every Version??

My worthy adversary thinks that open-source projects don't have sufficient funding or management. Given Adobe, Apple, and Microsoft's security track-record has a month gone by in years without major security holes popping up for the major proprietary software companies? I don't see how traditional management has helped them any.

That's not to understate the Heartbleed problem. It was disaster. It happened because OpenSSL was underfunded. There simply weren't enough people on the job to do the job, and everyone just assumed that because the code was open source it was somehow magically immune to errors. That's pure foolishness and we paid the price for it by over half of the world's websites being vulnerable to Heartbleed. We won't make that mistake again.

Let's say that OpenSSL, like IE, is fatally flawed. I don't believe it, but say it is. So what? In the open-source world someone just forks the code and comes up with a better version. That's exactly what OpenBSD has done with their LibreSSL. With open-source software you're not locked into one company's "secure" solution. If someone doesn't deliver the security goods you want, someone else can, and will usually, come up with a better program.

Put it all together and the facts show that, when done right, open source is the best way not just to develop software but to create secure software. It's only in those corner cases, like OpenSSL with Heartbleed, where a program is both popular and under-funded, that there exists the real possibility of a major security problem.

Just like death and taxes we'll always have security problems. But, as the record already shows, on average open-source programming is the best way to prevent security troubles.

Related Stories:

Editorial standards