Ounce Labs believe that the recent spate of criticism from security vendors about open source software is off-base, and in many cases, counterproductive to security.
According to Jack Danahy, Ounce Labs’ co-founder and CTO said: “Most of the security arguments against open source software are misleading. There is a myth out there that because the bad guys can see the source code, there is more security vulnerability. The relative security of software – whether it’s open source, commercial or home-grown – is much more dependent on whether security was a top priority during the development cycle, or just an afterthought.”
Danahy adds, “Some in the industry will have you believe that there are inherent security problems in the development methodology of open source software that expose users to greater risk of security breaches. In our experience with customers, and in our work supporting the open source community, we have found strikingly little difference in the overall security of open source programs and those developed in a more proprietary manner. The bottom line is this: there is an endless supply of both secure and vulnerable software across the commercial, open source and proprietary domains. The assessment of the scope, severity, and situational impact of those vulnerabilities should be a core process in any software acquisition, regardless of the source.”
Flexibility, cost, and enterprise-level features have always been key factors for organizations that choose open source over commercial technology. Open source software is a valuable option in today’s enterprise, but just as with commercial software, vulnerability management and mitigation should be a top concern for any company that depends on software to run its business. In order to mitigate the business risk created by insecure software, it is imperative that companies adopt a process that allows them to assess, remediate and prevent security vulnerabilities in all of their business software.