Why You Shouldn’t Just Rely on the Open Source Community to Harden Code

Responsibility for secure open software is, well, complicated,” writes Government Computer News. It’s not just complicated; it’s also perhaps one of the most misunderstood aspects of open source software development.

You’ve no doubt read that open source software (OSS) is more secure than proprietary software because the code is genuinely hardened thanks to reviewers in the open source community who have tested it, tried to break it, and then fixed the problems they uncover.

This approach may seem a counterintuitive one, but it’s something that the U.S. Department of Defense stands behind. In fact, in 2009, the DoD issued a memo expressing confidence in the OSS security model:

“…the continuous and broad peer-review enabled by publicly available source code supports software reliability and security efforts through the identification and elimination of defects that might otherwise go unrecognized by a more limited core development team.”

The U.S. Army alone has over 200,000 instances of Red Hat OSS deployed. If that isn’t proof of performance and confidence in the security of open source, then what is?

But what happens if you run into problems? Open source code is vulnerable, especially if the components that make up the open source code aren’t regularly reviewed.

As open source giant, Red Hat, reveals: “All software – no matter the license, provenance, or supply—chain involved – is at risk of having bugs...”

That’s why it’s important to buy open source subscription. In addition to all the bells and whistles that you get with a regular support agreement, subscription also provides security.

Red Hat’s Subscription service, for example, covers more than 100 different products made up of many open source components. Red Hat Enterprise Linux, for example, “…is comprised of several thousand different packages and each one can be a separate open source project,” writes Marco Bill-Peter, vice president, Customer Experience and Engagement, Red Hat. It’s the job of Red Hat’s Product Security team to know every component of every Red Hat product and find and track issues that could pose a threat to the integrity of the code. In 2014 alone, their record is nothing short of impressive:

I am proud to report that in 2014, across supported versions of Red Hat Enterprise Linux, 97% of critical vulnerabilities had a customer fix the same or next day after they were public,” said Marco.

Security is just one piece of Red Hat Subscription (a reduced total-cost-of-ownership being another), read more about the security essentials that come with Red Hat Subscription in Marco’s blog: “Security and the Red Hat Subscription” and download the “Why Subscribe to Enterprise Open Source Software” whitepaper.

Featured image courtesy of OpenSource.com via Flickr.