Is commercial open source more secure than proprietary alternatives?
Is commercial open source more secure than proprietary alternatives?

A long-held myth is that open source is inherently risky due to the absence of vendor accountability. The general belief being that open source is synonymous with a motley crew of developers. A more generous perception is that the developer community can be trusted, but only to a point, and that open source is for the cost-conscious who are willing to trade security for economy. These are incorrect generalisations, if not stereotypes.

With a pure open source model, the community is accountable for security; whereas, in a proprietary model, the software vendor is responsible. A third model exists, commercial open source, which provides a risk-appropriate blend of incentive-based vendor accountability and community-driven code transparency. A recent study by the Ponemon Institute* asked IT and IT security practitioners their opinions on commercial open source, and its impact on the security and privacy of everyday business applications for collaboration like email and file sharing.   

Open source transparency provides a “trust but verify” method for validating software: are best practices for software development being followed, are patches effective, do hidden components or backdoors exist that make the software vulnerable? As a result, transparency improves code quality. And, since quality and security tend to improve in tandem, transparency also leads to better security.In fact, the Ponemon Institute survey found that 66 percent of respondents agree that commercial backing and code transparency reduce an application's privacy risks. The same is true for application security, with 67 percent of respondents in agreement.

The open source developer community also helps resolve issues quickly. For example, consider the Heartbleed vulnerability. Many open source vendors had their software patched within hours. Plus, you can see the actual fix for Heartbleed in OpenSSL's version control system. According to the Ponemon Institute survey, 76 percent of IT professionals agree that commercial backing and code transparency improve application integrity and trustworthiness.

In addition to the open source developer community, commercial open source software provides open APIs that support easy interoperability and integration. This allows third-party security products and protocols to seamlessly plug into the solution. Support for third-party antispam, antivirus and two-factor authentication is a feature that 68 percent of survey respondents desire in collaboration solutions like email, according to the Ponemon Institute. Surprisingly, IT professionals consider cost to be the least important factor. Instead, it is the leverage IT organisations get from open source security and flexibility that provides the most benefit.

In addition to perspectives on commercial open source, the Ponemon Institute surveyed IT professionals on specific software solutions such as email collaboration. Why? As the primary mode of business communication, email is both a critical business application and a potential risk to security and privacy. Collaboration solutions should tightly integrate file sharing with email messaging capabilities to allow for control over attachments, recipients and sharing. Tight integration was important or very important for messaging and collaboration solutions according to 61 percent of survey respondents.

In summary, IT professionals are gravitating to commercial open source for security and privacy now more so than ever. Gone are the days when cost considerations led the decision to move to open source; today, IT professionals value commercial open source for business continuity, quality and control. On the horizon, expect to see broader adoption of commercial open source. In fact, the most telling result of the Ponemon Institute survey may be the coming exodus from proprietary to commercial open source software, particularly when it comes to collaboration. 

Contributed by Olivier Thierry, CMO, Zimbra

Ponemon Institute and Zimbra. “The Open Source Collaboration Study: Viewpoints on Security & Privacy in the US and EMEA” November 2014.