How secure is open source software?

[Dragonsi]

Hi all,

This is something that has been whirling through my mind for a few weeks now. With most of my clients wanting their website's on a low budget, the most common way to achieve the results they are after is to turn to open source software. Using applications such as 'osCommerce', 'phpBB' and 'Typo3' amoung others is now becoming a regular thing for me. However, with the recent attack on the phpBB system over the new year, of which one of my sites was a victim, this has lead me to ask the question...

Is using open source software a good idea?

After all, as the name suggest, the source code is open for all to see and if a hole can be found - it will be. Those sad 'kids' out there with nothing better to do than destroy the hard work of others, just for a laugh, will indeed exploit anything just to pass away their lonely days and nights rather than get a life.

I have learn't that making slight changes in the structure of these free or inexpensive systems can help protect them, but is it worth all that hassle and indeed embarisment of using these systems?

Your thoughts please...

[mushroom]

Vulnerabilities are found in many software products no mater where they come from.

Which is better? There is no blanket anwser.

But in the case of open source software you may legally look at the code and change it to suit your needs and fix it if you have to, that is not the case with propititary software you must rely on the copywright holder for all your changes and fixes.

Vulnerabilities in open source software are more likely to found by some one wanting to fix it than by some one wanting to exploit it.

In the long run my bet's on open source.

Just make sure you upgrade or patch you software as soon as a fix is available. All the phpBB forums that got hacked did not.

[Dragonsi]

Quote:

Originally Posted by mushroom

Vulnerabilities in open source software are more likely to found by some one wanting to fix it than by some one wanting to exploit it.

If this is so, then I don't understand why a decent user of this software, who finds it useful and complacent enough to use professionaly, would somehow let the wrong people know - how else do you explain attacks on various 'old' systems? Or is it the community in general, making sure they get enough downloads by ensuring everyone updates.

Surely with paid-for Bspoke systems, you should have the security of knowing that the system is relativly safe from optimistic attacks by a worm and that the license provider is responsible for keeping you informed and providing a fix for potential security issues.

[mushroom]

To each his/her own

It may be wise to check http://secunia.com/product/

Quote:

Below is a complete list of software and operating systems in the Secunia database. Our database currently includes 4690 pieces of software and operating systems.

The most important question is what will the long therm support be like?

[DOA]

mushroom I personally agree with you on this topic, just because a piece of software is Open Source doesn't automatically make it insecure (or more insecure), just as having closed source software doesn't guarantee security.

Although I don't want to play the anti Microsoft role here, they provide the most well known example in Internet Explorer. Source code not seen by anyone in the general public yet it seem's a vunerability is exposed almost every week.

I think the idea that Open Source software is unsafe for business use is one being put about by larger companies, in an attempt to convince uneducated users that their product is somehow better regardless of functionality.

Just my thoughts on the subject

[Dragonsi]

Thanks both for your thoughts, I am a big user of open source, I like it because you 'can play' with the code to customise it for your own needs plus there is usually plenty of support and ideas hidden within respective forums.

I only started to think about this subject matter after being quoted £40K for a CMS license (to say I nearly laughed in the man's face...). It just started to make me wonder, just how good is Bspoke?

[mushroom]

Avoid Hostageware at all costs or as other people call it Lock-in-Software where files are not saved in an open standard

More: http://www.msversus.org/node/74