Why Open Source Security Really Is More Secure
Facebook. Apple. Capital One. Marriot. Time after time, companies we trust experience data breaches — but it’s the individual customers who suffer. They’re the ones whose personal and even financial data is exposed to the world. It’s only natural, therefore, that in the face of such frequent and growing cyberattacks, people will question what type of security is best, and whether open source security is a powerful tool — or a dangerous risk.
Open source security tools are often misunderstood, and therefore can be blamed by the misinformed or the overly fearful. Is open source software safe — really? In fact, the truth is this: open source security is the best and most effective security you’re going to find on the market. By their very nature, open source security tools have the benefit of stronger protection, more features, and constant improvement against new and improved attacks developed by hackers’ ever-evolving creativity.
Open source security can be a cause for stress for many who don’t understand the open source process. Open source security tools, too, can come under scrutiny by the misinformed. And of course, no system is completely perfect. One challenge of open source software development, says David Sommerseth, Core Team Lead at OpenVPN, is that it requires volunteers: interested people who willingly invest their own time to provide feedback, sending patches and change requestions. “For many contributors,” he says, “this happens in their own spare time, which means people can’t always dedicate time every day to contribute. It may be inconsistent, and if your community is fairly small, you might see slower progress.”
That being said, if you do have a large enough community, open source security is the only security technology that can keep up with shifting strategies of international hackers. As Sommerseth explains, the OpenVPN open source community has a wide array of people who are constantly looking for ways to improve our security. “Just in the timeline for the maintenance cycle of OpenVPN 2.4, we have had over 35 contributors coming just from the community.” And that’s not even including the employees who worked on it. “For these 9 releases,” Sommerseth goes on, “it’s been over 320 changes that have been applied, covering everything from documentation to fixes, all over OpenVPN.”
Sommerseth adds that OpenVPN also had a public audit, sponsored by OSTIF, which included a thorough review of the code and functionality of the community version of OpenVPN. During this review, OpenVPN received feedback on issues to fix that were security critical, which meant the team could release OpenVPN 2.4.1 almost at the same time as the audit report.
The same is true for bug fixes. With many security tools, the moment a bug is discovered, hackers are devising ways to exploit it — and implementing those strategies well before the company is even aware there’s a problem. Not so with open source. “We have many contact points for the community,” Sommerseth explains. “IRC [Internet Relay Chat] is used a lot, as well as the mailing lists. These are the main places where issues are reported, then most of the time we create a ticket in a tool called Trac, which keeps the status for various reported issues. Some people even report issues directly in Trac.” Whether it’s active members of the community, or distant parties who happen to discover a problem, the team’s set up so those issues can be reported in whatever way is most convenient for the reporter — they all go to the same place, and they’re all dealt with accordingly. “All new reported issues are usually discussed in IRC, mail, or Trac,” says Sommerseth of the bug review process. “If it is agreed there is an issue, we send a ‘patch’ to the development mailing list to describe the change needed. And we have utilities we run against these patches which applies them to our source code automatically.” This system ensures bugs are found, reported, and addressed more efficiently and effectively than they would be at a typical bogged-down IT department.
Ultimately, open source development enforces stronger transparency for all changes happening, which is especially essential with security software. “When the change requests and reviewing happens in the open,” Sommerseth adds, “anyone interested can follow the discussion and inject questions or concerns while it happens — which often results in the final result being even better than the starting point.”
Companies who use open source software also reap the benefit of a product that’s often designed more accurately towards the needs of the users, because there is a tighter discussion between users and developers. There’s more openness and more connection, which helps mature the product faster. “When the company manages input and contributions effectively,” says Sommerseth, “users also develop higher loyalty and trust in the product.”
And that’s ultimately what open source is all about: building trust. That’s why it’s the most secure option on the market — because security is about trust.