Security and Open Source

A question I get a lot is; “Is Open Source more or less secure than Microsoft/Commercial Software”?

The question always surprises me, and still does because, I wonder why would I or any other security professional equate the mechanism by which software is procured, to intrinsically have any impact on the security of the code that is actually written.

It is perfectly possible to write “secure” code and then licence it via any open source licencing agreement, it is also perfectly possible  to write “secure” code and then licence it via a commercial licence, the inverse in both cases is equally true.

Complex software will always have problems, some of those problems will be vulnerabilities that are exploitable by attackers, and the licencing model does not really make much difference.

What does make a difference is the process that wraps the development activity.  A process that includes security as part of the lifecycle of the product from inception to decommissioning; in Microsoft we call that process the Security Development Lifecycle. What matters is that there is a mechanism to deal with security incidents, the SSIRP, and that there is a clear channel of contact to report a security issue.

If you have those things and you train your developers, program managers and testers on writing secure code, on what good and bad coding practice looks like and invest in tools to check for known “bad” practice and then you will produce a product with improving security characteristics.

It will never be perfect, but, it can be better:



Clearly writing secure code that has defence in depth as a core measure, does not address supply chain integrity issues, but, again this is about “process”  and rigour of the application of that process, and I know many organisations that develop open source software and commercial software with equal rigour in regards to their supply chain.

Microsoft produces both commercial and open source software, but, we do not vary our standards from one to another.

And the licencing model? It’s just that; a mechanism by which the IP of the developer is recognised, protected  and in some cases rewarded financially.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: