Is Open Source Software More Secure Than Proprietary?
Introduction
Open source software and proprietary software take fundamentally different approaches to security. Proponents of open source argue that the ability to view and modify source code makes it more secure, while proponents of proprietary software argue that the controlled development process makes it more secure. There are merits to both arguments, and the security of any piece of software depends on many factors. In this article, I will compare the security of open source and proprietary software in depth.
Transparency of Open Source Code
One of the main arguments in favor of open source security is that the code is transparent and publicly accessible. This allows independent reviewers to audit the code for vulnerabilities. It also means vulnerabilities can be spotted and patched quickly when they do occur.
Wider Review of Codebase
With open source projects, the code can be reviewed by anyone around the world. This means more experts are able to spot potential issues compared to proprietary code which is only reviewed internally. Potentially thousands of developers can analyze open source code versus the limited security team of a proprietary software company.
Wide review enabled the Heartbleed bug to be spotted in OpenSSL despite no one on the small OpenSSL team noticing the flaw. Many eyes makes bugs shallow.
Rapid Patching of Issues
When vulnerabilities are discovered in open source software, patches can be quickly submitted by any developer instead of waiting on the core team. These community patches are then reviewed and added to the code.
For example, when Shellshock was found in Bash, community members rapidly submitted fixes and the official patch was out within days. This rapid response limits the window of exploitation.
Controlled Development of Proprietary Software
While open source has the advantage of transparency, proponents of proprietary software argue that the controlled development process results in more secure code overall.
Professional Security Teams
Proprietary software is often developed by large companies like Microsoft that have dedicated security teams. These professional developers focus solely on building secure code, auditing for vulnerabilities, and designing systems like SDL to catch issues.
Open source projects often rely on volunteer developers in their spare time without formal security training. The professional security expertise of major software vendors results in more secure initial code.
Controlled Change Management
Proprietary vendors have strict change management processes that all code must go through before release. Changes are audited, rigorously tested, and put through multiple stages of approval. This prevents the introduction of new vulnerabilities that could happen with the rapid, decentralized changes of open source.
So while open source code is more transparent, proprietary code is developed more carefully right from the start by security professionals. Good procedures prevent vulnerabilities.
Real-World Security Comparison
Theoretical differences aside, empirical data on real-world security can give insight into whether open source or proprietary software is more secure in practice.
Vulnerability Statistics
Studies have found both open source and proprietary software have similar numbers of vulnerabilities. Proprietary software like Windows and Internet Explorer actually had more vulnerabilities than open source alternatives in some reports. Both can be highly secure or insecure in the real world.
Severity and Exploit Rates
While vulnerability counts are similar, some studies suggest proprietary software has more high severity vulnerabilities and exploits. One report found Windows Vista had over 50% more high severity security bugs than Ubuntu Linux. Proprietary programs may have tighter initial development, but the large attack surface of popular closed source apps means exploits are more tempting for hackers.
Default Security Settings
Open source software also tends to have more secure default settings out of the box. For example, Debian GNU/Linux comes with the widely-recommended ASLR and stack canary features enabled by default, unlike Windows. The closed development of proprietary platforms allows vulnerabilities to slip through.
Striking a Balance
Rather than saying one is absolutely more secure than the other, the example of Chrome shows having both open design and controlled management leads to good security. The transparency allows bugs to be spotted while the managed development process catches issues before release. Large open source projects often have core teams providing direction too.
Proprietary software with third-party code review, penetration testing and external security audits can also achieve this balance. Security does not depend on the license but on the development process.
Conclusion
There are reasonable arguments on both sides of this debate. While open source code is more transparent for review, proprietary platforms have professional security-focused development. Both can result in secure software. In the end, good security requires having both responsible disclosure and vulnerability response no matter if the code is open or closed source. The culture and discipline of the development team makes the difference.
