Open source is an established and popular form of software today. The transparency in the way open source software is built offers great advantages in terms of cybersecurity. It makes it as easy as possible for anyone to find and, in the best case, fix security flaws in the source code. Karl Emil Nikka of Nikka Systems explains how this works.
The fact that MetaSolutions’ EntryScape platform is available as open source comes as no surprise, as it is used to manage and publish open data. Openness and transparency run like a red thread through MetaSolutions’ operations. It would be strange to release EntryScape as proprietary, closed software.
But there are also specific reasons for releasing software, such as web services, as open source. Increased cybersecurity is one such reason, as IT security specialist Karl Emil Nikka, who runs the company Nikka Systems, points out.
Do you want to read this text in Swedish? Click here!
– Open source makes it possible to understand what the source code does, which makes it easier to identify security flaws, says Karl Emil Nikka.
Of course, it is possible to reverse the argument and say that it also makes it easier for cybercriminals to find security flaws in software that they can exploit.
– But today there are advanced decompilers that criminals can use to analyze proprietary software and find security flaws. But open source also allows those who want to secure software to do so legally, Nikka explains.
Different types of open source
Karl Emil Nikka is careful to explain that there is a difference between open source and available source. With open source, anyone can (in principle) both view and modify the source code of a piece of software, so that security flaws can be fixed. With source available, you can look at the source code, but you cannot modify it, which means that security flaws cannot be fixed by anyone.
The “in principle” clause above, regarding changing the source code, refers to the fact that there are a variety of open source licenses, some with different wording. To further complicate matters, some people prefer to talk about free software rather than open source. But again, in principle, open source means that anyone, you and me, can change the source code. Then there are different rules about how to make the modified code available to others.
In the context of this argument, Nikka points out another important security aspect of open source. If the developers of open source software stop developing it, for example to fix security holes, user organizations that want to continue using the software can develop it themselves. This can be done with something called a fork (basically a new version of the software that can be developed further on its own).
Share This Story, Choose Your Platform!
The bottom line is that you don’t have to abandon an important piece of software just because its original developer is sloppy about security. In some cases, it may be more efficient and profitable to develop the software yourself rather than switch to a more secure alternative.
– Open source software also means that you don’t have to upgrade to new versions just because the company behind the software wants you to. If your organization has the interest and resources to maintain an older version, there is nothing stopping them from doing so. If many organizations share the interest, they can help with the work, says Karl Emil Nikka.
In most cases, it is possible to maintain an older, fully functional version of software and continue to develop it to fix security vulnerabilities as they are discovered.
Controversies over use and development
Open source is a largely uncontroversial phenomenon these days. In fact, many popular software applications, often those that users do not interact with but that are critical to functionality, are now open.
But there is still some controversy, not the least of which is commercial companies using free open source software without contributing to its development. In some cases, this has led the people behind popular open source software to switch from open source to available source, which can be seen as a deterioration from a security point of view.
An interesting question is what can be asked of government agencies that use open source software. Can they be required to contribute to the development of the open source software they use, as some commercial companies do?
– This is a difficult question. Personally, I find it reprehensible that there are no open source requirements in public procurement, concludes Karl Emil Nikka.
