Open source is a success story and is used in countless small and large companies. Even a large software company like Microsoft, whose former boss Steve Ballmer once compared the Linux operating system to cancer, is now involved in many open source projects and uses open source software components in its applications and services.
Nevertheless, some doubts about the security of open source persist – be it because skeptics are not familiar enough with the development processes in the community or because the key players who earn their money primarily with proprietary software continue to nurse long-outdated resentments. Yet many companies choose open source precisely because of its high security. VNC lists the most common misconceptions about the security of open source and explains why they are unfounded:
1 Vulnerabilities are visible to everyone
This is true – and on closer inspection, a big plus in terms of security. Not only can cyber criminals search the freely available code for points of attack, but all other interested developers and companies can as well. In the end, there are far more eyes watching over the quality of the code than with closed source, so that possible vulnerabilities are quickly discovered. In addition, the community deals transparently with all security leaks, whereas with proprietary applications it is often unknown what vulnerabilities lie dormant in them.
2 No one checks all the code:
Wrong. Companies and authorities with high security requirements carry out targeted audits or call in specialists who check the code for bugs and vulnerabilities in extensive testing processes. With proprietary applications, this is usually not possible, and if it is, then only under certain conditions and with considerable restrictions. Many companies that play a decisive role in driving the further development of applications regularly commission independent auditors to closely examine the code. Openness is not just a façade – it really is used intensively.
3 Anyone can introduce bugs and backdoors
Theoretically, this is possible, but open source projects have a very controlled development process. All changes to the code are documented and meticulously checked and tested by the community so that problematic lines of code can be identified and sorted out. Only changes and features that have successfully passed this code review find their way into the final stable program. This process not only minimises the risk of security gaps, but also of stability and compatibility problems. With closed source, the risk of security and data protection breaches is far greater because no one can control the code. This is also shown by the speculations that repeatedly arise about possible backdoors in non-open firmwares and operating systems.
4 Nobody cares about bugs and leaks
Open source projects are not a collection of hobby developers working together in an unorganised way. Behind many open-source applications is a large community of committed developers and companies, in which there are fixed procedures and roadmaps. The resources are often more extensive than those of proprietary software providers, so that bugs and errors are often fixed much more quickly. In addition, the community usually maintains its applications for much longer: even old programme versions are provided with security updates and other improvements for several years.
5 There is no professional support
Some companies are concerned that they will not receive professional support for open source software. However, the companies involved in open source development usually offer highly professional support – this is an important part of their business model. Numerous service providers have even specialised in the support of open source applications. They help companies set up and operate the software securely, take care of problems and, if necessary, make individual adjustments that are usually not possible with proprietary programs.
The benefits of transparency
The decisive advantage of open source in security matters is transparency: users do not have to rely on the assurances of a manufacturer that a software fulfills certain security and data protection requirements. They can count on the watchful eye of a large community and carry out their own checks at any time.
This does not mean that open source is automatically safe, but a committed community and a controlled development process ensure reliable, safe and trustworthy software.