With the creation of the Government Digital Service (GDS) four years ago, open source software was thrust into the public sector spotlight in the UK. The government chief technology officer at that time, Liam Maxwell, co-authored the report ‘Better for Less’ which set out the policies that gave government IT management the remit to pursue the advantages of two specific technologies –cloud and open source software.
The report identified how these two technologies can drive cost and efficiency savings at the same time as meeting the government’s requirements for digital transformation. However, while cloud has undoubtedly become a resounding success in the public sector, open source hasn’t gained the same traction, with certain misconceptions acting as key barriers to adoption. Over the next few weeks we’ll dispel some of the myths surrounding open source and offer our views on how the technology can be beneficial to public sector agencies looking to undergo digital transformation.
This week, we look at the issue of cyber security…
Myth 1: Open source software is less secure than proprietary
One of the major barriers to public sector organisations considering open source software is the concern over levels of security. Because open source software is built by communities of developers, with the source code publicly available, there’s a common misconception that it is inherently less secure and therefore more risky than closed source options. Misformed media coverage does little to allay fears either, as organisations are quick to attribute data breaches to the nature of open source software as opposed to (as is more often the case) poor operational and security practices. (A good example of this could be seen with 2014’s Heartbleed bug.)
In reality, open source presents no more of a security risk than a closed solution. On the contrary, the so-called ‘thousand eyes’ argument maintains that, with so many individuals working with the source code of these projects, potential vulnerabilities and design flaws are uncovered and resolved much faster than with programs built on the proprietary code. As noted in a recent article published by Gadgette.com,
“while it’s true that open source means anyone can look at the code, that also means that you’re getting a lot more eyes and expertise than private source code ever will. The benefit of this is that everyone using your code is invested in ensuring it’s safe and secure”.
In a previous blog post we discussed how achieving a secure open source infrastructure and application environment requires much the same approach as with commercial software. The same principles apply, with only the implementation details differing. The most prominent difference is the transparency that exists with open source software.