Open Source is not inherently more secure

If your not following the Heartbleed issue, it’s an amazing issue that affects a large portion of the Internet’s secure traffic. The gist is that there was a change committed to the main codebase at the end of 2011 that allows an attacker access to the memory of the server. Any secure connection utilizing the OpenSSL project could be affected, from your email, your private computer systems to your bank. Almost every major company has been affected in one way or another.

The OpenSSL project is a pillar of Open Source Software and utilized by almost everyone. Mashable has a great list of companies/services where you should immediately change your password. I believe that it’s been known for some time that there is nothing about OSS that makes it more secure then closed source, but somehow the myth is still out there.

open-source

It is true that because the source is available for anyone to see that anyone can catch and fix bugs or security issues. But what a lot of people miss is that there has to be a motivating factor for people to do so. Just because the source is out there there doesn’t mean that it will happen.

Additionally the people maintaining or responsible for the project a lot of times have little motivation to spend more time on finding these issues. In the case of Heartbleed the code was reviewed before it was accepted, someone looked at the code that would 2 years latter send the Internet into a frenzy and accepted it as good.

OpenSSL is a vital project and utilized by a large portion of the Internet, yet it’s run on donations and a shoestring budget. It’s completely maintained by volunteers that have to worry about their real jobs to pay bills, and it’s not their fault for skimming over stuff. The motivational factors are not there as they would be in a full time position, if something like this got missed, someone is getting fired. In an OSS project, “Oh I don’t have to spend all my free time contribution to this thing, oh darn”.

The sad fact is that the people who do have the motivation most of the time are the ones who will profit from the mistake. Think the NSA or hackers looking for ways to steal information. How long have they been actively using this exploit over the last 2 years?

Heartbleed should be a call to arms for companies to contribute more to major open source projects they utilize. A project of OpenSSL’s importance should have a full time staff and should be well supported, I have always tried and contribute to projects I use, I rarely have the time to do anything more then give money, but that’s vital, because it gives motivation. Helping out a project with code, patches and reviews are nice, but major companies need to give money to these projects.

Resgrid will also start donating yearly to open source project we utilize and we want to make it part of our culture of giving back to open source. Resgrid is a cloud service company providing logistics and management tools to first responder organizations like volunteer fire, career fire, EMS, search and rescue, public safety, disaster relief organizations, etc. It was founded in 2012 by myself and Jason Jarrett (staxmanade).

It’s small companies that should start leading the charge, even though we can’t give much we hopefully can start shaming the big companies into giving to OSS projects that help build their products and services.

About: Shawn Jackson

I’ve spent the last 18 years in the world of Information Technology on both the IT and Development sides of the aisle. I’m currently a Software Engineer for Paylocity. In addition to working at Paylocity, I’m also the Founder of Resgrid, a cloud services company dedicated to providing logistics and management solutions to first responder organizations, volunteer and career fire departments, EMS, ambulance services, search and rescue, public safety, HAZMAT and others.