Advice Request Is open source software more secure or less secure ?

[jetman]

It is normally asumed that 'open source' software is more secure.

Presumably this is because the source code is open to inspection. It is assumed that good-natured programmers will examine the code and report any vulnerabilities they find.

But is this really the case ? There would be huge financial rewards for breaking the secuirity in open source products such as Bitwarden . It seems to me that the bad guys would be far more motivated to look at the source code than any good guys. So doesn't making the code open source just make things easier for the criminals ?

Isn't it better to keep the source code hidden away as much as possible ?

 

[Kongo]

Both have its advantages and disadvantages. In the mobile industry one reason why iOS often is considered more secure than Android is because it's closed source and hackers have a hard time finding vulnerabilities. Of course there are many other factors like the iOS sandbox that virtualizes every app in it's own virtual enviroment but thats not the topic now I guess. I wouldn't say that open source is necessarily more secure than closed source, however it makes the software more transparent and because of that more trustworthy. You also shouldn't only see the bad side of open source, cause there are not only bad people out there who try to exploit open source software. There are also people that report vulnerabilities in order to make the developer fix them as soon as possible.

 

[TairikuOkami]

OpenSSL vulnerability taught me never to take anything for granted, like people expecting OpenSSL being secure, because someone would surely check its code, but no one did for years.

Critical flaw in encryption has been in OpenSSL code for over 15 years

After the Heartbleed vulnerability, more security researchers have turned their attention toward reviewing OpenSSL. Now it’s time to patch again, but the most alarming/bizarre part of the story is that one of the critical vulnerabilities in OpenSSL has been gone undetected since December 1998.

www.csoonline.com

 

[blackice]

Privacy enthusiasts like open source because they like to think they know who is tracking them. I’m sure they are all reading the code.

 

[Deletedmessiah]

How well they're supported and updated is another major factor for security of any software among what already mentioned above.

Of course there are many other factors like the iOS sandbox that virtualizes every app in it's own virtual enviroment but thats not the topic now I guess.

Android does the virtualization too. The major factor of iOS being more secure is the updates and better control of the apps from Apple. Android updates while getting better still is embarrassing in comparison to iOS.

 

[Eggnog]

What open source has going for it is that it's source code is transparent. Users can (and do) spot vulnerabilities for devs to patch.

 

[ForgottenSeer 85179]

Users can (and do) spot vulnerabilities for devs to patch.

That's wishful thinking.

OpenSource doesn't make anything more or less secure by definition. It only improve the transparentation and community can contribute.

But mostly, OpenSource is less secure because community doesn't help, main developer stop the project or nobody check the code for years.
It's also not true that closed source is less secure because of closed source. Reverse engineering is what is used e.g. and most security researcher check closed, big projects instead of random OpenSource projects

 

[Arequire]

It's not inherently more secure, but has the potential to be. The fact that anyone can review the code increases the chance of finding bugs and vulnerabilities; the greater number of people reviewing, the higher the chance of finding them.
The issue then is whether people are actually reviewing the code in the first place, and even in they are, whether those people have the expertise to do so.
Also a developer may not respond to any/certain issues found, or may fall to implement appropriate fixes for them.

 

[monkeylove]

It depends on the specific software.

 

[Ink]

IMO, neither yes or no.

Are all privately and publicly disclosed vulnerabilities taken in account.
Are developers able to patch the vulnerability in a timely manner.
Funding.

Same applies to proprietary / closed source software.

 

[Divine_Barakah]

It is not guaranteed that the published open source code is used on its own without any modifications, right?

 

[ForgottenSeer 85179]

It is not guaranteed that the published open source code is used on its own without any modifications, right?

Right. Even if code is public, nobody knows if that's the used code in the end.
Only reproduceable builds provide such.

Anyway, only if program is built from scratch by yourself, you know which code is used.
Most users don't know that, but it's important.

 

[ncage]

As a developer i would say neither but i think is better if its open source that closed source. Security by obscurity doesn't help either (closed source). The pro of open source is that of course people can review the source code for issues. The con is bad people (or state actors) can review the code for issues. Once a major flaw is found there is a market to sell these flaws (usually the highest bidder are bad guys). There have been major flaws in open source software that have been there for years and never found (openssl recently (heartbleed)). Being a developer myself i'm not going to be looking for security vulnerabilities in openssl. Its extremely complicated code beyond what i traditionally & most developers deal with. Looking though the openssl source code is no fun. There are very few people who would have interest in looking at the code unless they were being paid for a code audit. There are other ways to find security issues with code that don't require access to the source code (pen / fuzz testing). How many times in the past did people find ways to jailbreak ios? Well those are bugs in the source code that people find around the security checks in IOS and they didn't have access to the source code. So from a security aspect i think code being open source is a good thing but there is no silver bullet.

 

[rain2reign]

I had a similar discussion once with a group of software security specialists and bounty hunters. They told me in unison at least "open-source is better for security, but it carries two undeniable risks with it.", being:

1. You will never have the secure knowledge that it's the exact same copy of source code running on the software, service or servers.
2. The leaks, bugs, exploit's and other open doors can and will be used against you, until it's fixed. Which the patch time can vary from a few hours to days if not weeks.

I see Open-source as a huge bonus and preference myself, provided you can either read or know some folks that can read the code. But I don't naively necessarily believe that the exact same code is running on the service applicable. Companies and services often don't put their branding code and telemetry along with the source code for example. Even if there is a tick-box or cmd-line setting to turn it off in the GUI.

 

[Templarware]

If anyone can know the source code, then it's more susceptible to someone finding vulnerabilities and being hacked.