Open source software is more secure than you think
Lasse Andresen, CTO, ForgeRock
According to a recent survey by Black Duck Software, there are more than one million unique open source projects today, with a projected growth of around two million by 2014. Open source is growing in the enterprise, but oftentimes when people think of open source, they are concerned about the potential security issues. But, those security concerns are merely myths. So, what is the reality when it comes to open source software security?
The first myth is that open source software is vulnerable to security threats due to access to code, which is not evaluated thoroughly. The truth is that with open source code, a diverse developer community works together to forge the initial solution, but they also work together to solve problems and produce new releases. The result? Fewer bugs and quicker fixes. Further, users have the opportunity to evaluate and critique the actual code – not just how it works, but how it was written to work. Because of the nature of the open source community and the fear of losing credibility, developers take great caution in releasing code with their name on it. Since their work is open to a public audience for critique and evaluation, open source developers are constantly striving to develop a product that will earn them respect and credibility from their fellow open source peers.
The next challenge that needs to be addressed is the perception that open source is not "enterprise-ready." Considering that companies like Google and Amazon have hundreds of thousands of enterprise customers who use their open source software and Red Hat, SugarCRM and Netflix are at the forefront of open source innovation, it is surprising that this myth still exists. Open source allows enterprises to customize solutions that meet their exact needs, without forcing them to fit into a pre-defined box to solve their IT challenges.
Whether it's resource constraints or the demand to implement the latest trend (aka BYOD), enterprise administrators are faced with numerous hurdles. The software they use to leap over those hurdles should be easy to deploy, highly scalable and incredibly agile. Not only has open source software been ready for the enterprise for many years, enterprises might be one of its most powerful use cases.
Further, some companies believe that open source code is great for cutting-edge developers, but not IT operations. While open source code does serve the needs of application developers who are looking to use the latest technology and are not concerned about the production environment, uptime, etc., it is also a great tool for IT operations. With production stability, no interruption in service, the guarantee of quality assurance testing and patches, and controlled and frequent upgrades, open source software is a great solution for both sides of the IT fence – developers and IT operations.
As well, CIOs and CSOs often believe that since anyone can contribute to the code, there are no guarantees of security and quality in open source software, but this is not true. Open source developers are concerned with their credibility and hence release quality code, simplifying the development process. In a commercial open source environment, each member goes through an approval process after which they are provided with the appropriate credentials. After this, they are able to commit code, but the code then goes through a sophisticated process of review, acceptance and rejection. The end result is thoroughly tested enterprise-ready software.
Finally, enterprises hesitate to adopt open source software as they believe that there is no responsibility for failures and it is hard to maintain open source code. However, several companies, large and small, currently use open source code in their products, which automatically makes them responsible for what they are licensing to customers. The collaborative nature of open source means no vendor lock-in and fast development, making open source software highly responsive to company needs and quick to release product updates, fixes, patches and stable new versions.
Every type of software has its pros and cons. However, a concern about security is definitely not a valid reason to turn away from open source software. Open collaboration drives innovation, and embracing open source software is one way to keep up with the rapidly evolving enterprise world that is facing constant change due to cloud and virtualization. As even the largest companies are embracing open source software, with recent projects like OpenDaylight, the hope is that these myths will continue to be de-bunked and organizations will realize the true potential of leveraging open source software.