security of open source software

INDUSTRY INSIGHT

Why open source is a safe choice for agencies

Already prevalent in big data applications and many other software solutions regularly employed by agencies, open-source technologies are a natural fit for the public sector. Their ability to combine distributed peer review and transparency drives software innovation at an accelerated pace and at a significantly lower cost.

However, as the use of open-source technologies has increased -- particularly within large enterprises and federal agencies -- concerns have shifted dramatically from who owns or has access to open-source code to the potential security risks. 

Open-source software isn’t necessarily less secure than proprietary products. In fact, the communities that support some of the better-managed projects are at times more responsive to security threats than vendors of strictly proprietary systems. Let’s explore two misconceptions about open-source security.

Misconception: Open-source code is readily available to hackers who are taking advantage of vulnerabilities before they can be fixed.

Truth: Thousands of security engineers, cryptographers and developers in the open-source community are regularly searching for vulnerabilities and, more often than not, fix them before anyone else notices.

Vulnerabilities are always present in software, but because of the sheer number of community-oriented contributors and the speed of innovation within open-source projects, they are often noticed and fixed more quickly than those in their proprietary counterparts. Often, proprietary software vulnerabilities are not noticed until they are hacked.

Vendors selling proprietary software need dedicated headcount to find and fix vulnerabilities as part of their day job, while their open-source counterparts have round-the-clock volunteers dedicated to this work. Within the open-source community there are more people to review code and to perform both static and dynamic code analysis; they have a well-defined way for finding and fixing vulnerabilities.

A great illustration of this principle was the Heartbleed bug discovered in Open SSL. While it received much negative attention, the reality is that the vulnerability was discovered by the open-source community before an exploit occurred. And Heartbleed’s discovery has brought much-needed attention to Open SSL, a previously under-appreciated open-source application.

In the commercial world, open-source software has driven continual innovation, leading to new startups, services and applications. Government agencies can likewise take advantage of this constant scrutiny and improvement. Not to mention that open-source software’s rapid pace of innovation is attractive to upcoming workers; engineers and data scientists want to work with the latest technology, not 20-year-old systems.

Misconception: Because there are so many contributors to open-source code, it would be easy for bad code to be inserted without detection.

Truth: Commercial (but still free) open-source software goes through a thorough security review prior to the release of a new version.

In commercial open-source projects -- those supported by companies -- users have the option of waiting to get the latest version that will have gone through a thorough security review. Commercial organizations that distribute and support open-source technology have employees who are dedicated members of the open-source community conducting these reviews. The software users get may not have the latest innovations, but their version will be tested, verified and as stable as proprietary offerings.

For example, the Apache Hadoop open-source software is continually being updated, so Cloudera regularly releases updated versions of its Hadoop distribution – CDH – that have been thoroughly tested and integrated with the rest of the stack. Users get the best of both worlds – the value and benefits of using open-source technology with the option of paying for commercial support -- all the while knowing that the source code is stable and secure. Deploying open-source software that is distributed and supported by a commercial vendor is the safest and most secure way to be successful.

Open source can help agencies save money in other areas. When leveraging commercially supported open-source software, government agencies can reduce their dependence on internal expertise and equipment. Rather than fund engineers and servers, agencies can spend their resources on the tools they can put on top of the infrastructure to maximize the value of their investments.

We are at a point of inflection. Technology is accelerating at a rate we haven’t seen before. If agencies want to keep up they are going to have to move to newer technology and approaches. At the same time, the government has a responsibility to ensure that it’s systems are both fiscally sound and secure. Open source allows them to be safe, efficient and innovative – the magic bullet for public sector technology today.

About the Author

Eddie Garcia is chief security architect at Cloudera.

inside gcn

  • augmented reality training (Army Research Laboratory)

    Army seeks virtual training environment for squads

Reader Comments

Sun, Oct 18, 2015

"Proponents of secrecy ignore the security value of openness: public scrutiny is the only reliable way to improve security" a quote from Bruce Schneier from The Non-Security of Secrecy. https://www.schneier.com/essays/archives/2004/10/the_non-security_of.html

Thu, Oct 15, 2015 auzkhan

It would be great if you could corroborate your argument with actual statistics on vulnerabilities of open source vs proprietary software. The example you gave about heartbleed actually doesn't support your argument since it was not fixed prior to being exploited even though it was identified earlier by the open source community. Also proprietary software makers argue that since their source code is "closed", it will take more effort for someone to identify and exploit its vulnerabilities as opposed to open source.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above