Visit

Visit

Visit

Maintaining security when attackers can see the code in an open-source world

Information security has become increasingly high profile in the past few years. High profile hacks, leaked databases and csv files full of user passwords have all made rather bad headlines for all involved.

Attackers may use any information available to find even the smallest weakness in a system to attack. Any detail or clue about your configuration can be used as a means of attack. This causes some people, quite understandably, to question whether using code that is publicly available to the world is a good idea.

What is open source software?

Open source software is software where the source code is freely available and can be used and modified by anyone for their own uses. This can be any kind of software. Web browsers, operating systems, text editors and content management systems are just a few.

An example of this can be seen here: Github

This is the code for the apache web server. It is free to download and use as needed. Everyone can see the code and anyone can freely use it to set up their own web server.

Open source at Invotra

At Invotra, we use a lot of open source software. Apache, ubuntu, reactjs and Drupal to name a few. Drupal forms the core of our product and the base at which we build our functionality. It is the place where the content is stored within the Invotra product. It is the place where the users are managed.

Almost all Invotra functionality passes through Drupal.

With all this data flowing through a system, some might question if it’s a good idea to use software where anyone in the world could be reading the code and looking for vulnerabilities. A fair assessment, however, there is another way of looking at it.

Inspectability and Control

The fact that open source code can be viewed by anyone doesn’t have to be a negative. We have the ability to read any code before we decide to use it. Every feature can be carefully reviewed to check for any potential issues.

Because the code we use is controlled by Invotra, and not a third party, we can choose if and when any changes are made. If a maintainer of a project makes a change that may cause issues or that does something that does not fit the Invotra product, we can see this before making any choices about using the code or writing our own code. This is a level of control that we couldn’t get over closed source software.

Community

Open source lives by the community around it. Experts who dedicate themselves to the creation and maintenance of open source projects help keep them secure and allow for more rigorous testing. 

Anyone can contribute to an open source project. Anyone can raise an issue. This means that the amount of people testing the software is more than any one organisation could have on their own. The security testing is rigorous due to the large amount of individuals and organisations who work to improve the software and contribute fixes to make the software better and more secure.

It should be noted that simply being open source does not cause software to become secure. Risky software will not become more secure just by open sourcing the code.