The term open source makes software appear more reliable and appealing to many of us. Certainly, open source software offers many benefits, but in certain cases, making it open source can effectively provide attackers with a roadmap to exploit the system.

Why

Many companies choose to make their software open source to build trust with users by demonstrating the software’s security and transparency. What they want to show on the security side is that user data is stored securely and privacy is respected. Users then feel assured that their data is safe, which makes them more eager to use the software. Open source also offers advantages such as transparency, contribution, and auditing. This approach is excellent for both the company’s reputation and user satisfaction.

Problem

Everything seems fine. However, we should not overlook attackers seeking vulnerabilities to exploit in the software. Let’s put ourselves in the attacker’s shoes. Let’s say the attacker wants unauthorized access to the software. For the attacker, understanding how the software works is crucial; if they don’t know this, their task becomes much harder, or they might not succeed at all. If the software is open source, the attacker can review the code and try to find vulnerabilities. They learn how the software works and will do whatever they can to gain access. Understanding the software's functionality will give them more confidence, and they will keep trying. No matter how much audits is done, no system is 100% secure. There is always a vulnerability, and by providing open-source code, we are essentially guiding the attacker in finding it. In short, open-source code equals an open target.

What to do

If we are going to make the software open source, we need to assess whether it is appropriate for that. For example, if the software handles or stores important user information, making it open source should be reconsidered. This is because we cannot predict how severe a future vulnerability might be. If a major vulnerability occurs and user data is exposed, there is no way to remedy it. Even if the code goes through a thousand audits, there will always be a flaw. However, if the software does not process any important information, open-sourcing it with proper audits is not an issue.

Another question arises. If the software handles important user data and is not going to be open source, how can trust be established with users? There is no definitive solution for this. Perhaps a limited version could be shared, but that wouldn't be enough. In both cases, there is still the risk of user data being stolen or sold. So, in either situation, the user should be cautious and choose trustworthy software.

Conclusion

In conclusion, open source is beneficial, but not for every software. Particularly for software that handles user data, it can increase the attack surface. Blindly saying "everything should be open" is a security weakness. Transparency is good, but too much transparency is risky.