Do open source and security go together?
While many economic sectors have suffered from the COVID19 pandemic, technologies have resisted it and for some, they have exploded. In this period of destruction-creation, of strong technological progress and of the race for more security, we find open-source, a philosophy (and a tool) at the service of companies and their users.
What is Open Source?
The principle of open source appeared in the 1950s and 1960s at the beginning of the Internet. The computer engineers in charge of its development worked in an open and collaborative environment where advances were reviewed and commented by their peers.
With the arrival of the Internet, or rather the ARPANET in the 1960s, computers were shipped with open-source software that allowed customers to check the features of the software or modify it as they wished.
So how do we define “open-source” software? The Open Source Initiative defines it in 10 points, but here is how to summarize it in a few lines:
An open-source software is a computer component whose source code is free to access. Here, free means: accessible to anyone without discrimination (individual or collective), usable and modifiable without financial contribution.
Here are some examples of open-source software that you have probably dealt with as much as I have:
- Linux, a kernel used notably in Android hardware and the majority of computer servers in the world.
- More known, we have the web browser Mozilla Firefox launched and carried by a large community of developers.
- Finally, for artists at heart, we have Gimp, Blender, Audacity, and many others.
Five (5) bad ideas about Open Source
Open-source = Free: A source code that is accessible and free does not mean that its execution is free.
There is only one type of open-source: there are many open-source licenses depending on the desired use, such as the license allowing exploitation for profit or not. It is also possible to write your own license.
Open-source is not only about software: the concept of open-source applies to software but also to hardware.
Also, it is important to understand that the principle of open-source does not put the emphasis on a financial aspect, but rather on the freedom of use, modification and distribution. More broadly, open-source is a movement, a way of working, more than a label on a computer tool.
Few companies use it: the use of open-source hardware and software in the corporate world is becoming more and more common, and studies show that it is a tool that is heavily used in the digital transformation of large companies and their investments. For example, Microsoft is the leading contributor to open-source projects for enterprises.
Open-source is only for professionals and experienced people: it is a tool for professionals but also for students and beginners, it is a considerable pool of knowledge. It stimulates learning and tests the skills of all.
Three (3) reasons to use open-source
Transparency: for both companies and users, open-source software is accessible; malicious code is more quickly and easily detected. Transparency is then a guarantee of trust and reliability. Indeed, it is possible for users to track down the addition of malicious code, bugs, etc. in the source code and thus identify the authors.
Collaboration: one of the biggest advantages of open-source is the community of experienced developers, or beginners, that it aggregates. Security holes are usually quickly detected and corrected with their help (especially for projects with a strong attraction). It is indeed easy to submit a correction, information about a bug or a suggestion to the authors of the code in order to improve it.
Flexibility: because of the community aspect, open-source code is flexible, it can be quickly adapted and more responsive to users. Thus, as opposed to private software, open-source software is more demand-oriented and can be easily adapted to users. In the example of a software not adapted to a use, or abandoned by the authors because of its low financial contribution, it is possible to create a fork (a new software from an existing source code).
Security debate: between transparency and obscurity
The debate around the security of open source still exists: on the one hand, those for whom obscurity is key. On the other hand, the defenders of open-source are convinced that transparency is the ultimate weapon against security flaws.
A source code visible to all? Sounds dangerous, doesn’t it? Indeed, transparency does not have only advantages: malicious drifts are not isolated. When we talked earlier about security holes that can be quickly detected, there are flaws that are less easily detected and malicious people could use them to act in their own interest.
On the other hand, obscurity is not always a guarantee of security. We can point to many attacks on private code (exploiting old flaws that were never reported): the WannaCry malware targeting Microsoft, the theft of NSA tools by a group of crybercriminals, and many others.
Auguste Kerckhoffs Van Nieuwenhof, a 19th century Dutch military cryptologist, said:
“The security of a cryptographic system must not depend on keeping the algorithm secret. Security rests only on the secrecy of the key,” in other words, the security of a code should not rest on its concealment; on the contrary, it should be possible to make it public without fear of the fallout.”
Open-source is therefore much more than a computer tool: it is a way of working, a way of learning, a weapon against flaws, a way to be closer to users… All its functions contribute to building a safer ecosystem where trust and collaboration are key words.
Article written by Imen SACI, for Satochip — 05–08–2021