Are you deciding whether to "take a chance" on open-source software but you’re worried about security?
It’s easy to find sneering posts about open-source software being insecure and inferior to proprietary counterparts with sarcastic lines like, "What did you expect? You didn't even pay for it."
Perhaps you’ve heard…
- Open source is insecure by nature because the source code is open to all hackers to inspect and exploit.
- Even if the code is fine today, the ragtag team of open-source developers behind it are amateurs who might fall off the face of the earth tomorrow, leaving you with unsupported software.
Fortunately, these concerns can broadly be classified as open source security myths.
Open Source is for Real
Popular open-source software, including Drupal and WordPress (Chromatic’s specialties!), are built by large, vibrant communities of committed developers. Contrary to what you may think, not just anyone can add code willy-nilly to open-source projects. Yes, you can grab the source code and make changes to it on your own computer, but unless your changes are reviewed by the community and merged into the main branch by the project’s maintainer, good luck getting it used anywhere other than said computer.
Established open-source projects have core maintainers that act as gatekeepers, merging code only after it has been reviewed and tested. They also have security teams and processes for reporting security issues. These projects use security best practices, coding standards, and automated testing suites to make sure only high-quality code gets shipped. Additionally, regular release cycles are set and followed, with updates that both harden security and improve the software. These are not shoot from the hip efforts built by one or two hobbyist developers, but professional-grade products used by professionals. Microsoft and Google both contribute to open source and https://www.whitehouse.gov has run on Drupal and currently runs on WordPress.
In fact, many established companies have grown out of the open-source projects that they support. It’s not unusual for them to have staff members who have most or all of their time allotted to open-source initiatives instead of directly to client work. Ensuring the health of the underlying open-source product ensures the health of the company. The software is not proprietary, but its care and maintenance is crucial to all who make a living from it. Chromatic also does its part, with a focus on Drupal.
Web Security is a Process
Software security is not directly related to the genius of the programmers behind the code, but rather to their commitment to follow security best practices and adhere to regular release cycles. Your team has a hand in it, too, by tracking these release cycles and keeping the software you use up-to-date. In fact, I talked about Chromatic's consistent approach to web security in a blog post from many years ago. Though the technologies mentioned in that blog post may change, the best practices we follow are evergreen.
Software needs to be judged on its own merits, not whether the developers are paid in stock options. There is nothing inherently inferior about open-source software, just as there’s nothing inherently inferior about fantastic music you hear for free. So, if someone, somewhere, once told you to avoid open-source software because it is insecure, we encourage you to get a second opinion and take another look.
