Open source security: Security in process, not code

Should we be alarmed that open source has security holes? No. Quite the opposite.

Yesterday's "big" news was that some major open-source projects have security holes. At least, that's the news that the media reported. Undoubtedly, Microsoft and others will use these results in their competitive documents to suggest that open source is less secure than its proprietary brethren.

This, of course, would be the exact inverse of the lesson to take from the report.

The big news is that we even know. With a proprietary product, no one knows there are gaping security holes...until someone exploits them. Open source makes no attempts to obfuscate its strengths (and weaknesses), letting both the bad guys and the good guys discover the problems, with the latter fixing them more quickly (on average - it depends on the project) than proprietary vendors.

Indeed, of its results Coverity noted:

To know the number of security exposures found within a popular piece of software is unusual, said [Coverity]. Open source projects are different from commercial products in that commercial companies rarely acknowledge security defects in their code or whether they have been dealt with. "Our commercial customers wouldn't like it too much if we aired the number of defects found in their code," said [Coverity], when asked about the results from scans on 400 product lines of the firm's private customers.

Now, never mind this silly distinction between "commercial" and "open source" in the quote. Open source is every bit as commercial as proprietary software.

No, the lesson to take is that customers benefit from an open security process, not a clandestine process that helps no one. We should be grateful when we read that our software has problems. At least we know. That, of course, is the necessary precondition to fixing those problems.

Tech Culture
About the author

    Matt Asay is chief operating officer at Canonical, the company behind the Ubuntu Linux operating system. Prior to Canonical, Matt was general manager of the Americas division and vice president of business development at Alfresco, an open-source applications company. Matt brings a decade of in-the-trenches open-source business and legal experience to The Open Road, with an emphasis on emerging open-source business strategies and opportunities. He is a member of the CNET Blog Network and is not an employee of CNET. You can follow Matt on Twitter @mjasay.


    Discuss Open source security: Security in process,...

    Conversation powered by Livefyre

    Show Comments Hide Comments
    Latest Articles from CNET
    The other analog format: Cassette tape decks have never been cheaper to buy