A big majority (89%) of IT chiefs believe open-source software is as secure as proprietary software, according to a survey by IBM-owned Red Hat, the maintainer of Red Hat Enterprise Linux (RHEL).
Red Hat’s findings in its The State of Enterprise Open Source report might settle a debate as old as the internet about whether open-source software is more or less secure than proprietary software, such as Windows.
The argument for open-source software security has been that more people vetting publicly available source code can result in faster fixes compared to the ‘security through obscurity’ model – a term historically applied to proprietary software because the codebases could only be vetted by employees.
Today, the debate is more about whether open-source projects are funded adequately. As Red Hat highlights in its new report, 89% of IT chiefs are confident in open-source security because it has matured.
Gordon Haff, a Red Hat technology evangelist, noted that the reasons why tech chiefs have a changing attitudes towards open-source software are still a little unclear.
The obvious historical answer to this question would have been that open source is more secure because there are many eyes on the code, he noted. “The problem with this answer has always been that there sometimes aren’t many eyes and what eyes there are may not be skilled ones backed by rigorous processes. In a way, this is the counterpoint to the ‘but the bad guys can see the source code’ argument against open source being adequately secure.”
But he said “many eyes” is now way down the list of reasons of why security is a benefit of enterprise open source, while respondents also indicated that the ability to audit the code themselves was even less important.
Haff added: “Enterprise open source is increasingly seen as having many of the same positive attributes as proprietary software while also delivering on the benefits that come from the flexibility of open source licensing and the open source development model.”
One thing that has become clear in recent years is that open-source software projects need more funding because finding and patching bugs costs money and most of the world’s internet infrastructure relies on these volunteer-based projects.
Tech giants and governments are responding to the shift. Google has helped with funding open source via several projects to improve security-related bug fixing. And there are new efforts underway by the Linux Foundation – which is backed by Microsoft, Intel, Oracle and Facebook – in response to attacks on software build systems.
The White House was alarmed enough by open-source software supply chain threats to label the Log4Shell flaw a “national security concern”.
Red Hat also found that 55% of IT leaders believe their teams can use well-tested open-source code for our in-house applications, while 52% believe security patches are well-documented.