Security Concerns in Using FOSS
By Abbi Cabanding
As the Internet grew rapidly over the years, it enabled collaboration resulting in several open source communities. The collaborative efforts of these communities have resulted to open source alternatives for almost all proprietary software. These open source solutions allows the user to use it the way he wants either for customizing it for his specific needs or for designing a commercial solution based on it. GNU General Public License (GPL) is the most commonly used license for this purpose. The derived solutions based on open source software should be distributed along with the source code and the recipient should get the same rights with which the original source is distributed.
Once the open source software is made available to the public, it can be reviewed by anyone to asses its quality and reliability. Using open source software offered different advantages such as vendor independence, flexibility to customize code to fit specific needs, lower cost of ownership in designing a solution and the availability of its source code ensured that it can be reviewed, in its entirety, to check for potential bugs and vulnerabilities before deploying the product for mission-critical functions. And because of this, users and experts around the world can go through the source code so that bugs can be discovered and fixed early. Open source software have so much potential and can be more secured than its proprietary counterpart but it should not be assumed that the source code of all open source products will be reviewed by security experts of the same level that reviews popular open source products like Linux and Apache.
However, as with its proprietary counterpart, open source software has certain risk. Some are inherent while others might arise due to poor software management practices. And when it comes to security, knowing is, indeed, half of the battle.
First thing we must put into mind, is that a certain level of meticulous evaluation of these products is absent due to the fact that, unlike proprietary software, they do not undergo requirement analysis, defining of acceptance criteria and comparing the product with its competitive solutions available in the market for its functionality and security features and so on. Second, is that because the source code is available it will not be impossible for some amateurs to design and distribute malware by adding malicious code to the original distribution. And lastly, not all open source products receive a great sponsorship as the popular open source products such as Linux, BIND and Apache. If the open source product in question is not widely deployed or it is not well sponsored, it may become difficult for getting patches for the discovered vulnerabilities.
There are even some enterprises who are concerned to prefer open source to proprietary software because it bothers them that they have to rely on voluntary help of someone over the internet or do it themselves rather than on a vendor to fix bugs for them. But in the end, it helps to know that in using open source products, you have more control over them because you can study their security model. End users must always remember that, as with proprietary software, we must be vigilant on what software we actually use. Choose what works for you and choose well.
= = = =
Alyssa Bernice Dimaano Cabanding is a BS Computer Science student of University of the Philippines - Diliman. She is a member of Association for Computing Machinery (UP Student Chapter), One Earth Organization International and Freelance Writing Organization International she is also the Vice Chair for Externals, Kabataang Lingkod Bayan (COMELEC Volunteer Corps). She blogs regularly at http://abbicabanding.wordpress.com/.
|
