Software security myths

Software security myths

Nowadays, everybody runs software and software gets more and more complex. Even a few lines of code can produce big security vulnerabilities which put confidential information and personal data at risk.

But there is open-source software! We actually read sometimes statements like “open-source software is more secure than proprietary software” or people see audits which were conducted three years ago as “security guarantees”. We show you why these myths are wrong.

Contents

  1. Myth 1: Open-source software is more secure than proprietary software
  2. Myth 2: Audited software is more secure than software which hasn’t been audited
  3. Myth 3: Many reported issues mean insecurity
  4. Summary
  5. Sources

Always stay in the loop!
Subscribe to our RSS/Atom feeds.

Myth 1: Open-source software is more secure than proprietary software

Wrong. The differences between “open source” and “proprietary” are licenses not security features. This blanket statement often implies that “everybody” can look at open-source code and then it gets magically more secure. On the other hand, proprietary couldn’t be audited and this must be at least highly suspicious!

You can ask yourself whether you have the ability to understand and look at the complete source code of a new app, imported libraries and so on. Are you used to programming? Then, this may be like a walk in the park for you. But did you also check every update, especially when software is automatically updated without any visual hints or prompts? Did you also check the source code of your operating system? Did you also check the source code of your mostly proprietary hardware? Can you understand every line of code, possible risks for the security and integrity of your system? Can you understand every algorithm? It is a safe bet that this isn’t the case. Vulnerabilities like Dirty COW or Heartbleed showed that open-source software isn’t magically secure only because everybody can look at the code.

A more correct statement is that maintained software is more secure than unmaintained software: You may get more secure software when its developers regularly check the code and fix vulnerabilities as fast as possible.

Myth 2: Audited software is more secure than software which hasn’t been audited

Another myth is that “audited software is more secure than software which hasn’t been audited”. Some people tell you that audits conducted three years ago are some kind of guarantee that this code is secure. This is wrong, of course.

For instance, there were two independent audits of the well-known OpenVPN software in 2017. Vulnerabilities were fixed, everything seemed to be okay. However, Guido Vranken discovered four critical security vulnerabilities afterwards. This example shows that security audits won’t discover every possible vulnerability in somebody’s source code.

Furthermore, you have to keep in mind that developers aren’t obliged to fix any bugs found by auditors. They can just say “We won’t fix that”. They can also try to fix a vulnerability and introduce a new one or even more.

Another aspect is time: An audit conducted one, two or three years ago may be already irrelevant because developers modified hundreds of lines of code.

Myth 3: Many reported issues mean insecurity

Finally, some people state that hundreds of GitHub issues (or issues reported elsewhere) indicate insecurity of code. This is also wrong.

Imagine a small project of a Computer Science student. Someone implemented a lightweight web browser and uploaded it to GitHub. About 150 users downloaded the browser, 100 use it on a daily basis. No one reports any issues in the following months.

On the other hand, there is a well-known and heavily used web browser. People report issues every day and there are hundreds of issues still open.

The question is: Which web browser is more secure? The first one because there are 0 reported issues? The second one because millions of people use it every day?

Our recommendation here is that you look at the issues. For instance, people can also report feature requests or questions as issues. Obviously, such issues aren’t security-related. Then you have to look at security issues. Do developers provide fixes as soon as possible or do developers ignore these issues?

Summary

The bottom line is that there is no magical security in open-source products, audits aren’t security guarantees and many issues don’t imply insecurity. These myths are nothing but blanket statements which aren’t true in general.

Use maintained software and observe how its developers handle security vulnerabilities. The rest is about trust as always on the internet.

Sources