When I heard about the backdoor in xz Utils that was recently made public, I was struck not only by how serious the issue could have been, but also by how quickly it was resolved. A nefarious plot at least a year in the making had been uncovered almost as soon as it was released, with only a few distributions, none typically used in production environments at enterprises, even shipping the affected version. For me, being an open-source entrepreneur and developer, this episode only strengthens my belief that in our community, vulnerabilities are indeed shallow.
But the same cannot be said for many of my customers. While open source is now widely accepted in the tech world, the traditional industries that my company TDengine serves are not all on board just yet. Although this backdoor does not appear to have caused harm to actual systems, it has at least temporarily affected the perceived security of open-source software, and some of the old talking points and misconceptions have already begun to resurface.
A Question of Trust
With the issue fresh in people’s minds, early last week I started receiving calls from users and fielding concerns from potential customers about the security of open-source software: “Since everyone can see the code, doesn’t that mean they can hack it whenever they like? Aren’t you just giving bad actors the tools they need to attack our systems and steal our data?”
Those of us who have been in the open-source community for some time are certainly familiar with this narrative, which proprietary software vendors pushed hard in the 1990s and 2000s, before they realized that they could make money from open source. For customers in industries like manufacturing and energy whose enterprise software has always been closed source, the idea of security through obscurity really seems reasonable.
Moreover, these industries are core components of our nation’s infrastructure and economy, and as such are huge targets for “hackers.” System stability and information security are of the utmost importance not only to enterprises, but also to ordinary people who use their services or buy their products. It’s only natural that customers in these industries are extremely security-sensitive and wary of deploying any software system that they don’t trust 100%.
Open Discussion, Open Resolution
What I remind my customers is that proprietary software is just as likely to have security vulnerabilities as open-source software — but you are less likely to hear about it. Do you really believe that your vendors will notify you every time they identify security issues in their code? In most cases, unless there is a legal requirement for disclosure, they keep their issues under wraps, and you may never know whether you were at risk. This presents an even greater danger, as you cannot mitigate threats when you are not aware of them.
When software development is open, on the other hand, a multitude of eyeballs can potentially review every line of code. Open-source projects like TDengine do not hide behind the veil of proprietary licensing, but invite all developers to search for vulnerabilities. In this development model, customers can rest assured that security issues will be promptly and publicly identified and resolved, and that they can take appropriate action to mitigate or remediate threats before it’s too late.
The truth is that closed-source software can still be exploited by bad actors — Microsoft is certainly no stranger to vulnerabilities, for example, despite most of their products being proprietary. No one believes that locks are unpickable and safes are uncrackable because the manufacturers don’t publish schematics; why should software be any different? In fact, software vendors that don’t release their source code are not keeping the bad guys out – they’re only preventing the good guys from helping.
For industrial enterprises, the myth that closed-source software is more secure needs to end. These companies often do not have the luxury of large IT departments and rely on vendors to ensure the security of their products. By moving to open source, they stand to gain at no cost an entire community of experts to keep their vendors honest and their systems secure.
