How Secure is Open Source Web Software?

Apache Hadoop Code exploits open source proprietary secure security software vendor lock-in vulnerability

June 26th, 2013 By:

The primary feature of free and open source software is that its code is available for everyone to view. Running such software on the web is inexpensive and may even give you quality results, but is it secure? If anyone can see the source code, does that mean it is easier to exploit? Furthermore, is that security risk even more severe when your software is web-facing and exposed to the public?

The short answer is: well-maintained open source software actually tends to be more secure than proprietary software. The longer answer is a little more complicated.

Many eyes – One advantage of open source software is that many people can contribute to it on a variety of platforms and scenarios, increasing the likelihood that they would find and eradicate any bugs. This, of course, assumes that anyone actually works on the code. It is up to you to determine if the code is actually well-maintained. A project like Apache Hadoop, for example, has both non-profit and corporate backing, as well as many community contributors.

No vendor lock-in – With proprietary software, the user is typically at the mercy of the vendor. Although some vendors may maintain very secure software, there is no guarantee. Theoretically, with open source software, even if your vendor goes under, you can take your software elsewhere, or even maintain it yourself. This means you can always increase its security even if it was initially lacking.

The unknown – Proprietary software’s code is unknown to the public. This means that the software may even be purposefully or unintentionally designed to invade your privacy or compromise your security. With open source software, there are no such secrets.

In general, open source software is secure, but it is no guarantee. Particularly with web-facing applications, you still need to run vulnerability tests and put the normal security safeguards in place. You can, however, at least rest a little easier knowing that your software is well-maintained and reasonably secure.

Corero Network Security

* Real-time DDoS protection for you and your customers
* Purpose built DDoS protection appliance deployed at the Internet edge
* On-premises technology is designed to handle volumetric network-based DDoS attacks or floods, reflective and amplified spoof attacks, like DNS and NTP attacks, as well as application layer attacks - such as slow loris, slow read etc
* Unique, slim-line appliance family delivers 10 Gbps full-duplex performance in a 1/4 wide, 1 RU form factor, enabling Hosting providers to deploy a combination of SmartWall TDS appliances to deliver the performance, connectivity and security required
* Providers are now enabled to offer creative new offerings, such as DDoS and cyber threat protection, enhanced security SLAs as well as visibility and reporting through an analytics portal that can be leveraged as a premium service offering