Information security has become increasingly high profile in the past few years. High profile hacks, leaked databases and csv files full of user passwords have all made rather bad headlines for all involved. The threat has grown as many more organisations move online, and in the first half of 2020 Pallavi Dutta on Security Blog reported 273% increase in records being exposed in data breaches, in comparison with 2019.
Attackers may use any information available to find even the smallest weakness in a system to attack. Any detail or clue about your configuration can be used as a means of attack. This causes some people, quite understandably, to how it is possible to maintain security when using code that is publicly available to the world.
How can security be maintained with so much sensitive data flowing through systems using software where anyone in the world could be reading the code and looking for vulnerabilities. This may be a fair question, however, there is another way of looking at it.
What is open source software?
Open source software is freely available, publicly accessible software that can be used and modified by anyone for their own uses. This can be any kind of software. Web browsers, operating systems, text editors and content management systems are just a few.
An example of this can be seen at Github
This is the code for the apache web server. It is free to download and use as needed. Everyone can see the code and anyone can freely use it to set up their own web server.
Inspectability and Control
The fact that open source code can be viewed by anyone doesn’t have to be a negative. We have the ability to read any code before we decide to use it. Every feature can be carefully reviewed to check for any potential issues.
Because the code we use is controlled by Invotra, and not a third party, we can choose if and when any changes are made. If a maintainer of a project makes a change that may cause issues or that does something that does not fit the Invotra product, we can see this before making any choices about using the code or writing our own code. This is a level of control that we couldn’t get over closed source software.
Open source lives by the community around it. Experts who dedicate themselves to the creation and maintenance of open source projects help keep them secure and allow for more rigorous testing. In order to maintain high levels of security, strategy and quality The Linux Foundation even offers an open source ‘code of conduct’.
Anyone can contribute to an open source project. Anyone can raise an issue. In their blog, How to Contribute to Open Source Project, Maryna Z of Ruby Garage highlights the benefits of taking part in open source to developers, from beginners to enthusiasts, who want to inspire others. Open source offers the opportunity to share skills in a variety of ways, by writing, updating and translating documentation, or designing or managing projects. This means that the amount of people testing the software is more than any one organisation could have on their own. The security testing is rigorous due to the large number of individuals and organisations who work to improve the software and contribute fixes to make the software better and more secure.
Open source at Invotra
At Invotra, we use a lot of open source software in our tech stack. Apache, ubuntu, reactjs and Drupal to name a few. Almost all Invotra functionality passes through Drupal. It forms the core of our product and the base at which we build our functionality. It is the place where the content is stored within the Invotra product and the place where the users are managed.