Here at BestVPN we are big fans of open source code. Not only do we love the (largely) non-commercial, community orientated approach to software engineering it involves, where the results are available for others to use, abuse, build on, or take in any radical new direction desired, and which makes the open source community a hive of creativity and invention, but also the way in which because the code is open to independent scrutiny and peer review, errors (both accidental and deliberately engineered) can be found and corrected by the rest of the community.
The biggest problem with open source code is the limited number of resources available to the open source community (most notably the limited number qualified software engineers who have the time to work on such ‘pet’ projects). Robin Seggelmann, the German programmer who accidentally introduced the disastrous Heartbleed Bug unto the open source OpenSSL code, cited this issue as a reason for the delay in discovering the ‘simple programming error’.
The Heartbleed Bug has become a focus of criticism about the open source method thanks to the length of time it took to discover it (one and a half years), but others have viewed it as a victory for open source that it was discovered at all, with Seggelmann himself saying that,
‘I don’t see it as a failure of open source. On the contrary, the publicly accessible code made it possible that the error has been discovered and published.’
The alternative to open source is proprietary code, and while it is true that commercial companies often have very large resources to throw at vetting their code, it is also the case that if mistakes are found then there is a great deal of commercial incentive not to make the discovery public. Even worse, respected companies such as RSA and Cisco have been found guilty of deliberately allowing the NSA to tamper with their products.
A new report from development testing service Coverity shows that despite the lack of resources available to it, the open source community and method works, and in 2013, for the first time, it contained fewer errors than proprietary code.
Out of the 750 million lines of code it scanned during 2013, the errors in proprietary code exceeded those of open source code, with a ‘defect density measure’ of .59 defects per 1,000 lines of open source code C/C++ code, compared to .72 for proprietary code (all code anonymously submitted).
Open source therefore works, and is not only the best defense we have against deliberately engineers backdoors and weaknesses, but also produces better and more error free code!