¿Es fácil hackear open source?
¿Qué tan fácil es vulnerar la seguridad de una plataforma OSS?
Todos los programas son hackeables y todos tienen un bug. Sin embargo, una de las características mencionadas constantemente del OSS es que al ser un código construido por una comunidad grande de voluntarios (en algunos casos), se pueden resolver estos problemas de seguridad de manera rápida. En constraste, con programas que dependen de la empresa a liberar una nueva actualización (por ejemplo, el sistema operativo de las computadoras Apple).
“ Supporters of open-source argue that the accessibility of the code allows the good guys to find bugs faster, while critics argue that more attackers than defenders are poking through the code, so the net effect is worse security.” - MIT Technology Review
¿Puedo usar el OSS para hackear o protegerme de un hackeo?
En la comunidad HackerOne, se hacen “hackatones” altruisticos con la misión en común de eliminar sitios inseguros del Internet, se hacen solamente para proyectos Open Source.
https://www.hackerone.com/product/community
But a commercial licence doesn’t guarantee security. Unlike proprietary software, open source projects are transparent about potential vulnerabilities. With paid software you simply have to trust the vendor. With an OSS you can also take part in code review and then either stick with the previous version, release your own patch, or even disable certain functionality under suspicion until further notice. - “3 Myths about Open Source Debunked” @ RubyGarage
Is open source software inherently more secure? Of course not. You need to look at the security and reputation of each piece of software on an individual basis.
To investigate the security of a product, you can always review its version history and look at previous security issues. Maybe you’ll even find an independent agency vouching for a product’s security, or certificates proving its reliability, or a respected colleague who can assure you that it's the best option on the market. “3 Myths about Open Source Debunked” @ RubyGarage
DeepHack es un proyecto Open Source que usa IA para explotar las vulnerabilidades de aplicaciones web.