I think that both open source and commercial, proprietary software have security issues and challenges. I am not sure one can be considered more secure than another. I think, in many cases, open source software security issues are identified and patched faster than proprietary software (compare the response of the open source database development teams with Oracle, for example). But generally speaking, the same rules apply for both open source and commercial software:
- Monitor bug and security announcements for your applications and other software to identify vulnerabilities and bugs that may be applicable to you.
- Patch, upgrade and update your software regularly.
- Ensure you implement and install your applications and other software in a secure manner.
- Monitor your environment and applications for issues - both functional and security related.
There are two additional issues that are more open source-specific that you might also want to consider:
- Ensure that if you chose open source software that is supported or developed by a limited number of individuals that you have a exit plan. If the developer stops supporting or developing your chosen application, then you must be prepared to support the application yourself or migrate to another application. Remember that if you do run an unsupported application, the chances of an undiscovered or uncorrected security vulnerability occurring are obviously increased.
- Accept that if you do discover a security or functionality bug in your application or software that the developers are under no obligation to fix it. Indeed, unlike software with maintenance, they are under no obligation to even acknowledge that there is an issue. Some open source developers are notorious for being reluctant to accept that there are issues with their software.
This was first published in November 2005