International Cyber Expo International Cyber Expo
  • About Us
Thursday, 9 July, 2026
IT Security Guru
International Cyber Expo
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Open source – safe or not?

by The Gurus
January 24, 2014
in Opinions & Analysis
Share on FacebookShare on Twitter

In a recent conversation, I asked a company spokesperson if open source could ever be secure as so many people are able to change the code.
 
This led me to ask those companies both involved in open source development and the wider industry, is there such a thing as secure open source? Mike Janke, CEO of Silent Circle said that the most important tool is to have your stuff reviewed around the world.
 
He said: “I want open source to know how many vulnerabilities there are and if the provider is fixing it or not, but not a lot of people know that. Bruce Schneier says “do the math” and Phil Zimmerman says you need to see the value in it, companies will sell you anything but will always tell you what it is good for.”
 
I caught up with Uri Rivner, formerly of RSA and now vice president of business development and cyber strategy at BioCatch. He said that we are all stronger as a result of reviewed code and that open source “actually helps security”.
 
“There is a big difference between seeing code and exploiting it, and the truly talented hackers, security researchers and experts don’t work for Governments – those are the real “A” talent people who end up testing and evaluating our open source code,” he said.
 
“The army of the world’s best talent from all countries goes through open source code. It may take a while, but over time the product becomes more secure through the mechanism of ‘group hive review’ This is why the NSA chose to exploit hardware and providers instead of truly sound open source encryption. That means that the mobile platform is the weak link.”8/
 
Technologies exist that are open source and widely used; an obvious example is Google’s Android. Rivner said that the basic version of Android is widely considered the least secure among mobile operating systems, while state-sponsored attackers already have access to any important source code imaginable, so if you’re worried about states attacking you, there isn’t much of a difference between relying on open source and closed source.
 
According to an Oracle whitepaper, an “open source license permits anybody in the community to study, change and distribute the software for free and for any purpose”.  However it was less than complimentary about its strength against commercial products, saying: “Government sponsored community development approaches to software creation lack the financial incentives of commercial companies to produce low defect, well documented code and are not subject to the same market pressure at the software code level.”
 
So open source is developed by a community for the community, and there may not be the support and review that a paid-for product has, but it is seen as doing something for the community. Oracle said that “just about every commercial software vendor leverages open source software”.
 
One of these is Snort, developed by Sourcefire. Jason Brvenik, formerly vice president of security strategy at Sourcefire, now principal engineer of the security business group at parent Cisco.
 
He said that security is not dependant on whether it is closed or open source, but it is about design, review and trust. “An environment of many hands has early issues, but Snort would have been impossible to create if it was just us, but if it is created in the open, then an attacker will evade it,” he said.
 
“With Snort, companies would say that they trust it
as they can review it on their own and look at peer review and maths and it only serves to improve the quality of what they are talking about and if you review yourself, you help yourself and the solution as a whole. The more eyes the better, as with technology like this the more eyes there are the more likely you are to spot something. Nothing is perfect and there are vulnerabilities in systems and the time to deliver is faster than anything before and we see bugs in ten year old technology within the kernel.”
 
Brvenik said that when you develop a new product, an option is to open source the feature sets to evolve them, and get feedback from users that you would not get in a closed environment.
 
So is open source more secure? As Oracle said, at first glance it might seem that organisations can avoid buying commercial software products simply by starting with open source software and developing their own applications, but the total cost of ownership for open source software often exceeds that of commercial software.
 
The question I would ask is whether you would want to use open source software; I do see that it is the coming together of the industry and minds to drive development of a great product, but who continues that development and support? Does it become a great paid-for product or is it relying on that community to keep supporting it.
 
Open source is a great thing for the industry to do, but it is important that things are done properly for all our security.

Tags: Open Source
ShareTweet
Previous Post

Security B-Sides London confirms sponsors

Next Post

CISOs have "too much focus on technology"

Recent News

hand typing on keyboard

CitrixBleed 2 exploited in repeatable attack chain culminating in DragonForce ransomware, researchers find

July 9, 2026
malware

Huntress Uncovers ‘Vibe-Coded’ Malware Used to Map Active Directory Environments

July 8, 2026
Check Point’s ThreatCloud AI Blocked 4.6 Billion Attacks in 2025, Latest ESG Report Reveals

Check Point’s ThreatCloud AI Blocked 4.6 Billion Attacks in 2025, Latest ESG Report Reveals

July 8, 2026
Kirsty Fowler, WorkNest Secure

Next Gen Spotlights: Building a More Resilient Future – Q&A with WorkNest Secure

July 8, 2026

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol

  • About Us
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol