Security
What is open source software and why should you care?
Oct. 17, 2022 / My Data Removal Staff
Have you ever heard of open source software? Or closed source (proprietary) software? Did you know that whether software is open source or closed source can affect its security? Neither method is inherently more secure than the other. There are both advantages and disadvantages to open source software just as there are for closed source or proprietary software.
TLDR: While there is ongoing debate among developers and users about which type is best for security, we recommend using products with open source code. Read on for a deeper explanation of the pros and cons of each approach and then decide what is right for you.
How does open source software work?
Open source means anyone can view the source code for a product. Closed source is the opposite, only the engineers at a specific company can view the code for their products.
Cookies (not the internet variety)
To begin, let’s take a look at how open source verses closed source works. And to do that, we are going to need some chocolate chip cookies. Let’s imagine that you have an amazing recipe for chocolate chip cookies that you came up with on your own. These cookies are so delicious that you decide you just have to share them. There are two ways you could share the awesomeness of your cookies with your friends and family. First, bake the cookies yourself and then sell them. Second, you bake the cookies, give them away for free as well as giving everyone the recipe.
Closed source
In the first example, you decide that because you came up with the recipe, you want to keep the recipe to yourself. It is hard-earned knowledge you gained through testing and a lot of trial and error. You feel like it is worth it to keep it to yourself because you like it the way it is and you don’t want anyone to mess it up. And, it is valuable to you. If nobody else has a cookie recipe like yours, that is worth some good money!
This is what closed source software looks like; people or companies keep their code to themselves. It is a proprietary product and it isn’t published to the public. Nobody is permitted to use, modify, or distribute it. In addition, closed source software is managed in such a way that it is impossible to access the code without specific permission from the publisher. The organization usually sells the product and has absolute control over how it is used and how users experience it. Apple is a well-known example of closed source software: non employees cannot inspect the code for their operating systems and apps.
Open source
In the second instance, when you share the recipe, you give everyone the opportunity to make your recipe themselves. You love your recipe so much, you want everyone to be able to access it. In addition, you know that with lots of people trying out the recipe, it will be more likely that improvements will be made or mistakes will be found. This is a collaborative approach.
This is what open source software looks like, in particular free open source software (FOSS). When the software is released, the source code (the part that most users never see but makes it function) is released along with it. Anyone can inspect or recommend changes to the code. Anyone can copy and add to the code making their own version. But the important thing is that the code is public and available to anyone for free. Android is one well-known example of open source software.
Why is this important from a cybersecurity standpoint?
Both approaches can produce excellent products. There are many companies who successfully use one of the two approaches for their products. Some companies use both for different products or parts of products. Just being open source doesn’t automatically make something more secure. And something that is closed source doesn’t automatically make it less secure. Let’s take a look at a few of the pros and cons of each approach so you can make more informed decisions in the companies and products you choose to use.
Let’s go back to the cookie analogy. In the first example where you keep the recipe to yourself, because nobody can see the recipe, anyone who eats your cookie has to trust that what you say is in the cookie is actually what is in the cookie. Nobody can actually see or verify the ingredients or see if you’re doing anything worrying.
In the world of code, closed source means that the user has to trust what the company says about their security protocols and the safety and security plans they have in place. Companies can and often do publish audits done by third parties on their code. However, once the audit is released, that does not reflect any further updates or releases that could have significant changes in them. Since you can’t see the code itself, you have to take what the company and the auditor say.
For example, if you have a closed source password manager, you have to trust them when they tell you how securely they store your data. Are you passwords actually stored in an encrypted database? Are they encrypted during the transfer between their server and your phone? With closed source, no matter how convincing their advertising, it is impossible to verify these types of critical security issues.
One of the most convincing arguments people make for closed source code is that it is safer because no one can access it, implying that it is safe from potential criminals. Proponents of open source argue that buys and vulnerabilities are a fact of life and that more eyes make a product safer than a product with less eyes on it.
With open source, it is possible to have any security claims verified. Because so many people (potentially thousands) can be accessing, testing and using the code constantly, it can be easier to trust. With that many eyes on the code, security issues are found faster and more often patched quickly.
Being open source adds credibility to a company’s security approach. Many companies are proud that they are open source, and they will often advertise that they are open source on their website. For an example, check out Bitwarden, an open source password manager. If you are curious to see what source code looks like, check out Bitwarden’s code on GitHub (a platform for hosting code).
However, some people don’t like that the code can be seen by anyone, since this means attackers can easily look for vulnerabilities in the code.
And while there can be huge numbers of people looking at open source code, there is no guarantee that there will be for every open source project. In some cases, having a dedicated team working on a closed source project can be better than an open source project that no one looks at.
How can I find the best open source software?
It is simple to do a search online for the product you want along with “open source.” Since most companies are proud to be open source, it makes it fairly easy to find out if they are.
7 examples of open source software:
Open and closed source software list (not exhaustive):
| Software type | Closed source examples | Open source examples |
|---|---|---|
| Operating System | Windows, iOS, MacOS | Linux, Android |
| Messaging app | Messenger, WhatsApp, iMessage | Signal, Wire, Silence |
| Password manager | LastPass, 1Password | KeePass, Bitwarden |
| Office suite | Microsoft Office | LibreOffice, Apache OpenOffice |
| App marketplaces | GooglePlay, the App Store | F-Droid |
| Email providers | Gmail, Outlook | ProtonMail, Tutenota |
| Social Media | Facebook, Instagram, Twitter | Minds, Aether, Mastadon |
| Web browser | Google Chrome | Firefox |
| Photo editor | Adobe Photoshop | GIMP |
| Media player | WinDVD | VLC Media Player |
| Screen Recording | Camtasia | OBS |
| Audio Editing | Adobe Audition | Audacity |
Conclusion
As you can see, open source is generally better, but it is no guarantee that a product is superior or more secure than a proprietary alternative.