Is open source technology a security liability?

Leakers were actually enthusiasts who researched the files of another company project and discovered that one of the patches contained the access key to Naughty Dog's AWS S3 server. Lo and behold, the server had the current project files.

While it may seem like an obvious mistake, this type of exploit is much more common than anyone would like to admit – some of the world's biggest hacks have been due to human error. In this case, there is a good chance that the developers were using the same protocols from project to project, and since this had never caused a problem before, there was little room for concern.

This is the kind of obvious oversight that is often detected by an active community. Having many people from different backgrounds pass along the same code increases the chances of someone finding a bug and offering a solution.

This is, in essence, the spirit of open source, the idea that no engineer can do a better job alone than thousands of people working together.

So what's the answer?

Yes, there are risks inherent in open source, but the same can be said of even the most jealously guarded projects. The positives of using open source solutions in your projects outweigh the negatives by a thousand times.

Open source can be a security risk if we implement it without forethought. A developer who uses libraries carelessly without reviewing their source code, or at least researching possible security risks, is asking for trouble.

As such, the best strategy for security by design is to hire developers who are concerned about security, lay the groundwork early in the project for building secure software, and have a very rigorous and thorough testing policy.

Open source technology can be a safety risk as long as you don't understand the inherent risks and take precautions, just as riding a motorcycle can be extremely dangerous, especially if we disregard the recommendation to wear a helmet.