May 23, 2018
When it comes to choosing between open source and closed source software, there’s no right or wrong answer. In order to choose a type of software that fits your security policy, and your organisation, you need to understand the pros and cons of each.
Open Source Software
Open source software platforms commit their ongoing development to huge communities of developers across the world. By making its source code available to the developer community, open source software’s efficacy, security and reliability can be tested by thousands of users, and not just a handful of core developers. This is known as security through transparency, and allows for exploits and security issues to be detected as fast as possible, with wide-scale testing conducted in a fraction of the time taken by smaller development teams. With a huge pool of expertise and resources available to address these issues, open source software can also boast an incredibly rapid time-to-fix. However, whilst these patches and updates often come from expert developers, they aren’t always vetted by the official development team. Accepting these untested updates from unknown entities can lead to further security issues. Publicising source code also makes it easier for malicious parties to detect software vulnerabilities; potentially increasing the risk of security breaches and data loss.
Closed Source Software
Closed source software relies on security through obscurity. Source code is developed, tested and updated by a small team of core developers. Third-parties are prevented from viewing the source code, making it much harder for hackers to analyse the software and uncover vulnerabilities. This type of development process allows for a greater degree of expert specialisation, with closed source developers understanding their code inside-out. This makes it easier to build tighter security measures into the software, and significantly reduces the likelihood of bugs and technical oversights. This does, however, mean that the security of closed source software is entrusted entirely to a small development team. Any bugs and exploits that go unnoticed by the development team will make it into a finished product. Without the source code available for external developers to check for these bugs, security issues will manifest themselves only when hackers successfully breach the software.Closed source software also generates slower response times to security threats. After a security issue is detected, the development team need to be made aware of a problem. Any fixes then need to be approved by the development team, or developed entirely in-house.
Which Type of Software is Right for My Organisation?
Neither type of software is immune to vulnerabilities and exploits. Regardless of the type of software your organisation uses, your own security policies and practices are still the primary factor in protecting your organisation.As long as a piece of software is continually updated (either by a small development team, or the wider development community), the choice between open source and closed source won’t dictate your organisation’s security.To help you decide between the two software types, it’s a good idea to consider your own organisation’s security policy:
- Am I happy to entrust application security exclusively to the software vendor?
- Do I have the resources available to analyse open source code?
- Will I be willing to accept security updates from unknown entities?
- Will I be willing to wait for official security updates to immediate security issues?
It’s unlikely that these questions provide black-and-white answers. Regardless of the type of software employed, all organisations will have to defer some element of security to a third-party, and commit some degree of resources to software monitoring and analysis.However, it should still be possible to choose between open source and closed source software, and find a type of software that best reflects your organisation’s own security practices.