{"id":466,"date":"2012-04-20T11:22:42","date_gmt":"2012-04-20T11:22:42","guid":{"rendered":"http:\/\/blog.efrontlearning.net\/?p=466"},"modified":"2012-04-20T11:25:05","modified_gmt":"2012-04-20T11:25:05","slug":"open-source-and-the-security-through-obscurity-fallacy","status":"publish","type":"post","link":"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html","title":{"rendered":"Open-source and the \u201csecurity through obscurity\u201d fallacy"},"content":{"rendered":"
\"\"<\/a>The security of open source software is a key concern for organizations planning to implement it as part of their software stack, particularly if it will play a major role. Currently, there is an ongoing debate on whether open source software increases software security or is detrimental to its security. There are a variety of different benefits and drawbacks for both sides of the argument. <\/strong><\/p>\n

The main concern is that because free and open source software (FOSS) is built by communities of developers with the source code publically available, access is also open to hackers and malicious users. As a result, there could be the assumption that FOSS is less secure than proprietary applications. This assumption has a name \u2013 it is called \u201cSecurity through obscurity\u201d \u2013 <\/em>an attempt to use secrecy of design or implementation to provide security. Unfortunately, security through obscurity<\/em> can give you a false sense of security and ultimately lead to an insecure system.<\/p>\n

Security through obscurity<\/em> has never achieved engineering acceptance as a good way to secure a system. The United States National Institute of Standards and Technology (NIST) specifically recommends against using closed source as a way to secure the software (i.e. \u201csecurity through obscurity\u201d), and they state, “system security should not depend on the secrecy of the implementation or its components<\/em>\u201d [1]<\/a>.<\/p>\n

Too often people assume that secrecy<\/em> equals security <\/em>[2]<\/a>. Nothing could be further from the truth. Today\u2019s strong cryptography is based on the assumption that an \u201cadversary\u201d will know both that something is encrypted, and what the encryption scheme is. The notion that hiding the means of encryption will somehow make the data in question more secure is a notion that has been obsolete since World War II. Strong crypto assumes, rather, that despite the fact that the encryption algorithm is a matter of public knowledge, that the data in question will remain encrypted and secure.<\/p>\n

Open Source software is based on a similar notion of security. Hiding source code is a bad way to assume you\u2019ll achieve security, because even a powerful and highly proprietary company can\u2019t guarantee that source code won\u2019t leak out. Instead, security should be based on a worst-case scenario: assume your \u201cadversary\u201d has access to the source code; and deal with it.<\/p>\n

For example, the \u201cSecurity by design <\/em>[3]<\/a><\/strong>\u201d<\/strong> principle advocates that the software should be designed from the ground up to be secure. Malicious practices are taken for granted and care is taken to minimize impact when a security vulnerability is discovered or on invalid user input. In other words, good engineering practice is what makes a system secure and not whether or not the source code is open<\/p>\n

\n
\n
\n

[1]<\/a> http:\/\/csrc.nist.gov\/publications\/nistpubs\/800-123\/SP800-123.pdf<\/p>\n<\/div>\n

\n

[2]<\/a> http:\/\/onlamp.com\/pub\/wlg\/4436<\/p>\n<\/div>\n

\n

[3]<\/a> http:\/\/en.wikipedia.org\/wiki\/Security_by_design<\/p>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

The security of open source software is a key concern for organizations planning to implement it as part of their software stack, particularly if it will play a major role. Currently, there is an ongoing debate on whether open source software increases software security or is detrimental to its security. There are a variety of […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[59],"tags":[44],"class_list":["post-466","post","type-post","status-publish","format-standard","hentry","category-elearning","tag-lms"],"yoast_head":"\nOpen-source and the \u201csecurity through obscurity\u201d fallacy - eFront Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Open-source and the \u201csecurity through obscurity\u201d fallacy\" \/>\n<meta property=\"og:description\" content=\"The security of open source software is a key concern for organizations planning to implement it as part of their software stack, particularly if it will play a major role. Currently, there is an ongoing debate on whether open source software increases software security or is detrimental to its security. There are a variety of […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html\" \/>\n<meta property=\"og:site_name\" content=\"eFront Blog\" \/>\n<meta property=\"article:published_time\" content=\"2012-04-20T11:22:42+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2012-04-20T11:25:05+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/blog.efrontlearning.net\/wp-content\/uploads\/2012\/04\/Security-sml1-150x150.jpg\" \/>\n<meta name=\"author\" content=\"Athanasios Papagelis\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Athanasios Papagelis\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html\"},\"author\":{\"name\":\"Athanasios Papagelis\",\"@id\":\"https:\/\/www.efrontlearning.com\/blog\/#\/schema\/person\/ecfb4e4ec6c24004c3dd5aca55bf8965\"},\"headline\":\"Open-source and the \u201csecurity through obscurity\u201d fallacy\",\"datePublished\":\"2012-04-20T11:22:42+00:00\",\"dateModified\":\"2012-04-20T11:25:05+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html\"},\"wordCount\":474,\"commentCount\":2,\"image\":{\"@id\":\"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html#primaryimage\"},\"thumbnailUrl\":\"http:\/\/blog.efrontlearning.net\/wp-content\/uploads\/2012\/04\/Security-sml1-150x150.jpg\",\"keywords\":[\"LMS\"],\"articleSection\":[\"eLearning\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html\",\"url\":\"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html\",\"name\":\"Open-source and the \u201csecurity through obscurity\u201d fallacy - eFront Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.efrontlearning.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html#primaryimage\"},\"thumbnailUrl\":\"http:\/\/blog.efrontlearning.net\/wp-content\/uploads\/2012\/04\/Security-sml1-150x150.jpg\",\"datePublished\":\"2012-04-20T11:22:42+00:00\",\"dateModified\":\"2012-04-20T11:25:05+00:00\",\"author\":{\"@id\":\"https:\/\/www.efrontlearning.com\/blog\/#\/schema\/person\/ecfb4e4ec6c24004c3dd5aca55bf8965\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html#primaryimage\",\"url\":\"http:\/\/blog.efrontlearning.net\/wp-content\/uploads\/2012\/04\/Security-sml1-150x150.jpg\",\"contentUrl\":\"http:\/\/blog.efrontlearning.net\/wp-content\/uploads\/2012\/04\/Security-sml1-150x150.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.efrontlearning.com\/blog\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"eLearning\",\"item\":\"https:\/\/www.efrontlearning.com\/blog\/category\/elearning\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Open-source and the \u201csecurity through obscurity\u201d fallacy\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.efrontlearning.com\/blog\/#website\",\"url\":\"https:\/\/www.efrontlearning.com\/blog\/\",\"name\":\"eFront Blog\",\"description\":\"eLearning tips, news and resources\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.efrontlearning.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.efrontlearning.com\/blog\/#\/schema\/person\/ecfb4e4ec6c24004c3dd5aca55bf8965\",\"name\":\"Athanasios Papagelis\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.efrontlearning.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/86ee6b7fb7e6ddcf020458bdc1fd195c3a44ce3f6de7eff6ef6766f8b8731948?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/86ee6b7fb7e6ddcf020458bdc1fd195c3a44ce3f6de7eff6ef6766f8b8731948?s=96&d=mm&r=g\",\"caption\":\"Athanasios Papagelis\"},\"url\":\"https:\/\/www.efrontlearning.com\/blog\/author\/athanasios-papagelis\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Open-source and the \u201csecurity through obscurity\u201d fallacy - eFront Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html","og_locale":"en_US","og_type":"article","og_title":"Open-source and the \u201csecurity through obscurity\u201d fallacy","og_description":"The security of open source software is a key concern for organizations planning to implement it as part of their software stack, particularly if it will play a major role. Currently, there is an ongoing debate on whether open source software increases software security or is detrimental to its security. There are a variety of […]","og_url":"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html","og_site_name":"eFront Blog","article_published_time":"2012-04-20T11:22:42+00:00","article_modified_time":"2012-04-20T11:25:05+00:00","og_image":[{"url":"http:\/\/blog.efrontlearning.net\/wp-content\/uploads\/2012\/04\/Security-sml1-150x150.jpg","type":"","width":"","height":""}],"author":"Athanasios Papagelis","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Athanasios Papagelis","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html#article","isPartOf":{"@id":"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html"},"author":{"name":"Athanasios Papagelis","@id":"https:\/\/www.efrontlearning.com\/blog\/#\/schema\/person\/ecfb4e4ec6c24004c3dd5aca55bf8965"},"headline":"Open-source and the \u201csecurity through obscurity\u201d fallacy","datePublished":"2012-04-20T11:22:42+00:00","dateModified":"2012-04-20T11:25:05+00:00","mainEntityOfPage":{"@id":"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html"},"wordCount":474,"commentCount":2,"image":{"@id":"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html#primaryimage"},"thumbnailUrl":"http:\/\/blog.efrontlearning.net\/wp-content\/uploads\/2012\/04\/Security-sml1-150x150.jpg","keywords":["LMS"],"articleSection":["eLearning"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html","url":"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html","name":"Open-source and the \u201csecurity through obscurity\u201d fallacy - eFront Blog","isPartOf":{"@id":"https:\/\/www.efrontlearning.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html#primaryimage"},"image":{"@id":"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html#primaryimage"},"thumbnailUrl":"http:\/\/blog.efrontlearning.net\/wp-content\/uploads\/2012\/04\/Security-sml1-150x150.jpg","datePublished":"2012-04-20T11:22:42+00:00","dateModified":"2012-04-20T11:25:05+00:00","author":{"@id":"https:\/\/www.efrontlearning.com\/blog\/#\/schema\/person\/ecfb4e4ec6c24004c3dd5aca55bf8965"},"breadcrumb":{"@id":"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html#primaryimage","url":"http:\/\/blog.efrontlearning.net\/wp-content\/uploads\/2012\/04\/Security-sml1-150x150.jpg","contentUrl":"http:\/\/blog.efrontlearning.net\/wp-content\/uploads\/2012\/04\/Security-sml1-150x150.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.efrontlearning.com\/blog\/2012\/04\/open-source-and-the-security-through-obscurity-fallacy.html#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.efrontlearning.com\/blog"},{"@type":"ListItem","position":2,"name":"eLearning","item":"https:\/\/www.efrontlearning.com\/blog\/category\/elearning"},{"@type":"ListItem","position":3,"name":"Open-source and the \u201csecurity through obscurity\u201d fallacy"}]},{"@type":"WebSite","@id":"https:\/\/www.efrontlearning.com\/blog\/#website","url":"https:\/\/www.efrontlearning.com\/blog\/","name":"eFront Blog","description":"eLearning tips, news and resources","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.efrontlearning.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.efrontlearning.com\/blog\/#\/schema\/person\/ecfb4e4ec6c24004c3dd5aca55bf8965","name":"Athanasios Papagelis","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.efrontlearning.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/86ee6b7fb7e6ddcf020458bdc1fd195c3a44ce3f6de7eff6ef6766f8b8731948?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/86ee6b7fb7e6ddcf020458bdc1fd195c3a44ce3f6de7eff6ef6766f8b8731948?s=96&d=mm&r=g","caption":"Athanasios Papagelis"},"url":"https:\/\/www.efrontlearning.com\/blog\/author\/athanasios-papagelis"}]}},"_links":{"self":[{"href":"https:\/\/www.efrontlearning.com\/blog\/wp-json\/wp\/v2\/posts\/466","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.efrontlearning.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.efrontlearning.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.efrontlearning.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.efrontlearning.com\/blog\/wp-json\/wp\/v2\/comments?post=466"}],"version-history":[{"count":11,"href":"https:\/\/www.efrontlearning.com\/blog\/wp-json\/wp\/v2\/posts\/466\/revisions"}],"predecessor-version":[{"id":479,"href":"https:\/\/www.efrontlearning.com\/blog\/wp-json\/wp\/v2\/posts\/466\/revisions\/479"}],"wp:attachment":[{"href":"https:\/\/www.efrontlearning.com\/blog\/wp-json\/wp\/v2\/media?parent=466"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.efrontlearning.com\/blog\/wp-json\/wp\/v2\/categories?post=466"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.efrontlearning.com\/blog\/wp-json\/wp\/v2\/tags?post=466"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}