An application’s security may depend on how intensely its code is scrutinized by those invested in it
Security remains one of the biggest concerns surrounding the use of open-source software. To many organizations, publicizing an application’s source code seems like a threat to their livelihood. The source code is the secret sauce that legitimizes their bid as a valuable company in the data community. They guard the code closely out of fear, either that their application will be stolen or that it will be manipulated and exploited for malicious purposes.
But open-source proponents argue the sharing of source code may be more secure than restricting access to authorized users within the organization. More eyes and more perspectives on an application’s code can help identify and close security risks. In fact, the National Geospatial-Intelligence Agency’s (NGA) GEOINT App Store relies entirely on source code sharing to ensure the applications it brokers meet security standards for users in the Department of Defense. A recent WIRED article detailed the process.
First, NGA and its partners (who’ve signed nondisclosure agreements with the developers) conduct multiple rounds of source code analysis and vulnerability scanning on a submitted application. They produce reports containing as many as 1,000 items a developer needs to address. Once these issues are satisfied, they then test the app to uncover any dangerous functions that might still be lurking in the code. If an application gets approved for inclusion in the GEOINT App Store, the agency continues working with the developers on patches and software updates after release.
But open-source projects in the commercial sector don’t always receive such meticulous review. Generally, the level of attention from developers in the open-source community depends on the scope of the project (and, largely, which tech monolith stands behind it). Popular software such as Linux or Google Earth will draw considerable interest from end users looking to make specific patches that benefit their work. A four-person software startup without any users, on the other hand, usually doesn’t turn many heads when it uploads to GitHub.
The security of an application, then, depends not on the public availability of its source code, but on how intensely its code is examined by the people invested in it. Implementing diligent testing and patching processes help bolster the security of any application, open-source or not.
Photo Credit: Pxhere