Is it safe? Can open source be trusted?

As open source becomes ever further embedded (no pun intended) into the fabric of our IT infrastructures everywhere, certain questions arise. Firstly, when is enterprise open source free of charge? Answer: well, almost never. Companies know that they need to pay for service, maintenance and upgrades and in general they will opt for a commercial licence.

So as they say in open source — there’s no such thing as a free lunch, not if you want static links (as opposed to dynamic) to code libraries for rigidity so that applications can be “certified” and given a warranty before usage.

Esteemed tech writers Stewart Baines and Danny Bradbury wrote a piece earlier this month which suggested that ‘crowdsourced’ (i.e. open source community driven) software development may be a well-established concept, but it still has its challenges.

Baines and Bradbury highlight the goings on back in December when a former contributor to the OpenBSD open source Unix derivative claimed to have inserted back door code that would enable the FBI to monitor encrypted transmissions.


Open source developers are now rushing to analyze the code and find out if this fact is true. But regardless of the outcome, it raises the question: how much can we trust our open source software?

Open source software permeates the Fortune 500. Whether it’s Linux, or open source email management or FTP software, most companies use it somewhere in their infrastructure. The traditional response to security concerns over open source has been that because so many people look at the code, bugs will naturally be weeded out. But how many of those people are trained security researchers? And could they spot security flaws that have been deliberately, rather than unwittingly, embedded in source code?

A recent paper published by the Department of Mathematics at Royal Holloway, University of London, advocates a threat modelling approach to evaluating crowdsourced software. Organisations using open source code should subject it to an evaluation in which real-world threats to the software are enumerated, prioritised and then mitigated, says Yoav Aner, author of the paper.

Of course, this requires organisations to devote significant resources to quality assessment. Unfortunately, many companies use open source software precisely because it is a cheap and quick way to meet software project deadlines.

Nevertheless, if enough companies could be persuaded to make the effort and to contribute their findings back to the broader open source community, we could drastically improve the quality of open source software – and justify our trust in it. That would doubtless make some of the original advocates of open source, such as Free Software Foundation founder Richard Stallman, very happy.

You can read the original post here.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.