• United States



Open Source: Is it inherently more secure than proprietary software?

Feb 20, 20073 mins
Data and Information SecurityIT Leadership

After a series of entries about security threats from employees, I’d like to turn to something completely different:  security issues relating to open source software. 

For those of you unfamiliar with open source software, it is basically software made available and developed through the “non-proprietary” efforts of potentially many unrelated programmers.  The idea behind open source is the exact opposite of proprietary software.  With open source software, the goal is to make available software that can be freely distributed and modified.  This means making the source code of the software, something that is ordinarily strictly protected with proprietary applications, readily available to all licensees.  Open source software is generally developed by the combined efforts of any number of unrelated programmers, frequently distributed around the world (e.g., Linux, applications from the Apache Software Foundation, etc.). 

Proprietary software, on the other hand, is generally developed by a single company, with the source code being strictly protected. One of the most significant distinctions between the two types of software is that open source is generally provided completely as-is, with no contractual protections whatsoever.  Licensors of proprietary software, in contrast, generally provide at least basic warranties, indemnities, and other contractual protections.

Many people argue open source software is inherently more secure than proprietary software.  This is because the source code for open source software is readily available and, if the application is popular, will be reviewed by many different people.  This is the “many eyes” theory of security, which has been used very successfully in the area of encryption for many years.  Whenever a new encryption algorithm is proposed, its specifics are frequently publicly disclosed with the express intent that many people will carefully scrutinize the algorithm for potential flaws.  This generally leads to far more secure encryption algorithms than those that are not publicly vetted.  The same thinking is applied to open source software:  if the source code is made available for public review, it should be more secure than proprietary software because more people (i.e., not just the original developers who may suffer from a severe case of myopia) will review the code for potential security risks. 

The million dollar question is whether the “many eyes” theory actually works for open source software.  Is open source more secure than proprietary software?  There are arguments on both sides of the question.  Some insist all open source is inherently secure because the source code is available for review.  Others focus not on whether the source code is available for review, but whether it is, in fact, actually reviewed.  The “many eyes” theory only works if you actually have “many eyes” looking at the programming.  

  The answer to the security question has to be answered on a case-by-case basis.  Licensees considering deploying open source in a mission critical environment must satisfy themselves sufficient review has been conducted regarding the application to have reasonable confidence in its security.  If the application is widely used, the risk is minimized.   

On the other hand, if the application has relatively few users, the licensee may have to conduct its own code review.  Such a review can be very costly and may not be economic.  The alternative, of course, is to seek out an alternate, proprietary application and require appropriate contractual protections from the licensor. 


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author