Is Open Source more secure? That’s a question that can be answered with both yes and no. Not only that, but the reasons for the “yes” and the “no” are fairly much the same. Because you can see the source the task of hacking or exploiting it is made easier, but at the same time because its open, and more easily exploited the problems are more likely to be found.
When it comes to open source the hackers and crackers are doing us a favour, they find the problems and bring them to the attention of the world, where some bright spark will make a fix and let us all have that to. All well and good.
However I think this could also be a problem, because lets face it. Any monkey can download “free” software to use for this or that, with little or no idea how it actually works. They don’t check for fixes and updates, often believing “it will never happen to me”. In part this is because they just don’t see any reason for some one to hack them. But in the modern world where any script kiddie little git can download a virus construction kit, or a bot to run exploits on lists of servers its no longer a case of being targeted. They don’t care who you are, it’s the box they are after.
Recently a friend of mine suffered from this very problem, he didn’t believe he was worth the effort to hack. But simply by using an Open source web app he unwittingly made him self a target. Though a fix was available, he wasn’t aware of it. It was only when the host contacted him about problems that he even realised he’d been exploited.
With the growing popularity of the internet and open source solutions more and more unskilled users are installing software they don’t even understand. Even worse as any one application grows in popularity it grows as a worth while target for the low life script kiddies out there.
The problem has been exacerbated but the simple truth that with modern scripting languages such as PHP it is getting easier and easier to make some thing, being able to hack code together until it works might be fun, and you might make some thing that does the job, but its not a way to make safe secure software.
Most often exploits are based on stupid mistakes, errors that should have been found early on but weren’t because the code evolved, expanded and changed. No design, no planning, just code it until it works. This is the original meaning of “hacking”.
Now, with out mentioning names, I have pulled apart the code used in the CMS the friend I mention earlier used, and with out doubt I can say its poorly written. But it was free, so no one can complain.
I am sure there is some very good open source applications, linux, apache to name a few, but there is even more “open source” that’s just garbage. Just because its free doesn’t mean its good. Just because it popular doesn’t make it better. In fact as far as I can tell, if you want to use open source applications your probably better of choosing one no one else has really bothered with, that why your less likely to become a victim.
Closed source always has the advantage of being a little harder to find the problems, how ever, and this is important. It doesn’t mean its any better. As a friend of mine pointed out, Open source might be easier to hack in some ways, but because of that the problems come to light and generally are fixed quickly. Where as with a closed source application its actually in the interests of the authors to keep any problems hidden, if its not a common problem it may even go unfixed, because the author sees is as being unlikely any one else will ever find it. Or a fix will be bundled up with a later version and thus many people will never even know they could be at risk.
In the end I do believe open source is good for us all, but its important to check regularly for updates, patches and fixes. If you don’t, on your own head be it.