Better Security Through Open Source

The January 2007 Communications of the ACM had an article by Jaap-Henk Hoepman and Bart Jacobs: “Increased Security Through Open Source.” (PDF or PostScript).

The authors argue that:

. . . using open source software is a necessary requirement to build systems that are more secure. Our main argument is that opening the
source allows independent assessment of the exposure of a system and the risk associated with using the system, makes patching bugs easier and more likely, and forces software developers to spend more effort on the quality of their code.

They review the argument that keeping source closed prevents attackers from being able to access information they can use to form an attack, but note first of all that source code often gets out for closed source systems (those intending to attack a system are unlikely to pay much heed to the fact that their code access is illegal) and further, that even if source was kept closed, “vulnerabilities of such closed source systems will eventually be found and become known to a larger public after a while. Vulnerabilities in existing closed source software are announced on a daily basis.”

If the argument is that the security of open source software may be suspect due to poor coding practices, that’s a reflection on the development approach, not the status of the source code availability and rights-of-modification. (“We assume a minimal standard of proper coding
practices, project management, change control and quality control”).

Ultimately, they suggest, “keeping the source closed actually hurts the defender much more than the attacker: while a determined attacker can still discover weaknesses easily, the defender is prevented from patching them.”

Finally, they conclude:

In the long run, openness of the source will increase its security. Sloppy code is visible to everyone, and questions even the overall quality of it. . . . Open source allows users to make a more informed choice about the security of a system, based on their own or on independent judgment.

Well said!