Is open source secure?
The answer depends on the combination of all factors involved:
- for what software?
- which exact version? (amoung thousands in some software)
- what environment?
- what is the configuration?
- what other software are dependencies? (and all of each of their variables)
- what software is using that software as a dependency (and its variables)
General Considerations
Pros:
- Your company can review and audit the code.
- Open Source is a powerful joint collective of some brilliant minds.
- Sometimes portable.
Cons:
- Bad actors are out there, and they're reviewing the code and testing attacks.
- The authors can not possibly design for every permutation of the variables of use.
- Architechture specific source code and environment / compiler / library specific source code.
- Often several projects are automatically combined in by way of dependencies and assumptions of never tested composites.
For any security statement to be made, it must clearly encompass a scope and boundaries.
At PriVerify, we put Foundation First to implement the first solution of its kind.
Our flagship set of solutions is called
SECF:
Simple Extensible Comprehensive Foundation
Packaged into just two files:
-Application tested to meet or exceed its specs
-configuration binary specific to each of your devices/instances
-Application tested to meet or exceed its specs
-configuration binary specific to each of your devices/instances
Open source integrations provided:
-Web Servers (Apache mod_ssl)
-Web Servers (Apache mod_ssl)
-Delivers Quantum Entropy directly to the Linux kernel
-Example configurations for many popular platforms
-Example configurations for many popular platforms
-Quantum Entropy delivered to each of your systems
-Time synchronization built-in to the same purpose-specific secure EDP
-Time synchronization built-in to the same purpose-specific secure EDP