Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Is open-source as secure as proprietary software?

Henry Coggill

on 8 February 2023

We’re surrounded by news of data breaches and companies being compromised, and the existential threat of ransomware hangs over just about every organisation that uses computers.

One of the consequences is that we are hassled by an ever-increasing number of software updates, from phones and computers to vacuum cleaners and cars; download this, restart that, install the updates. Most of these devices and tools run open-source components: in a 2022 open source security and risk analysis report, Synopsys found that out of 17 industry verticals, 93% of codebases included open-source software.

Are the security issues we are seeing related to the use of open-source software? Does proprietary software have any more inherent safety or security benefits?

The short answer is no. More and more security flaws are being found simply because there is more software being produced in the world than ever before, and more aspects of our lives are incorporating software features.

In fact, open-source software has been at the forefront of this technological transformation, giving anyone in the world the access and opportunity to develop functionality and products that would have been infeasible without free access to such resources.

Obscurity is not security

Programmers generally write their source code for two audiences. First, for the computers that are going to execute the code.  Second, for other programmers to update, adapt and maintain the code at a later date. It is this second aspect which gives open-source software its broad appeal: everyone is able to see the code, understand it, and use it safely in the knowledge that they understand it.

For the computers though, the code is compiled into a machine-readable form that the CPU can process and execute directly. This machine language is much harder for real people to understand: though it is still possible to look at what the program is doing, it is significantly more difficult and time-consuming to do so, which leads to a popular belief that this makes it more secure.

However, obscurity is not security, and there are plenty of motivated individuals who like nothing better than the challenge of disassembling a compiled program to study its inner workings. 

This topic is discussed in depth in episode 185 of the Ubuntu Security Podcast.

How do you consume open source securely?

Open-source software does have vulnerabilities, just the same as proprietary or closed-source software. Software vendors within both paradigms are equally beholden to keeping on top of the vulnerability reports, issue patches and fixes, and keeping their users safe. But there are some best practices you can apply to mitigate risks.

Synopsys discovered in their 2022 analysis that 85% of codebases contained open source that was more than four years out-of-date. Whether code is open or proprietary, the most crucial security measure is patching and updating that software, and the best way to do this is to consume the software from a trusted source which provides strong security maintenance commitments.

This enables you and your customers to remain safe from newly discovered threats. If and when vulnerabilities are discovered, you can rely on experts to fix them before attackers can exploit them.

Defence in depth

Another important aspect is to maintain defence in depth for your software platforms, so that if one particular component of the stack is vulnerable, an attacker can’t gain a foothold and spread their malfeasance any further. This can be achieved by hardening your systems, locking down the configuration options and removing unnecessary components that might aid a malicious actor.


All software systems have vulnerabilities and weaknesses, regardless of their development methodology, and the majority of cloud platforms rely on open-source security every day.

The biggest step to keep systems secure is to use software that is actively maintained and updated. The next step is to raise the bar for security by hardening your systems and preventing one small weakness turning into a full-blown nightmare.

Talk to us today

Interested in running Ubuntu in your organisation?

Newsletter signup

Select topics you're
interested in

In submitting this form, I confirm that I have read and agree to Canonical's Privacy Notice and Privacy Policy.

Related posts

Ubuntu 14.04 LTS has transitioned to ESM support

Extended Security Maintenance (ESM) is now available for Ubuntu 14.04 LTS to provide ongoing security patches for high and critical CVEs for UA Infrastructure...

ROS 2 Foxy and ROS Melodic EOL – Keep your robots up and running

ROS Melodic EOL is around the corner. With more than 1,004 repositories in rosdistro, Melodic is among the top 3 ROS distributions (with Indigo and Kinetic)....

Ubuntu 18.04 EOL – keep your fleet of devices up and running

Ubuntu 18.04 ‘Bionic Beaver’ is reaching End of Standard Support this May. If you don’t take action, you will transition to 18.04 EOL (End Of Life). This...