Why (Not) Trust Open-Source Software With Your Data
Length:
5 min
Published:
February 21, 2021
To trust or not to trust open-source software, that is the question. It is open source, so anyone can read the code and see where the data goes. Does that make OSS more trustworthy? It does, and at the same time it does not.
Why should you care about security?
If you have to ask, something went wrong while you were learning to build software. If you are a newcomer, let's talk about it.
You do not want your data to leak, and least of all your client's data. If someone with bad intentions reaches your code, you can lose the code, or worse, your credentials and your whole account.
When to be careful
Say you want to use an OSS tool that needs some of your credentials, for example an access token to your repository. A few signs tell you that handing over your token might not be the best idea.
Pay attention when:
- The last commit is more than three months old. It suggests nobody cares about the project anymore. The problem need not be the project itself; it can be dependencies stuck on deprecated versions.
- It is a brand-new repository with no history. Most likely nobody has reviewed it yet.
- It has very few stars (for GitHub repositories). Stars do not have to reflect the quality of the code, but stay cautious.
Would you trust a tool just because it is open source? Probably not. Still, it is far more trustworthy than software you cannot inspect, but only if it is kept up to date and the developers work to reduce security risks. Nobody should lean on the idea that because a tool is open source someone surely checked it, so they do not have to.
When to relax
You really want to use the tool but have no time to review the code? Here are the signs that handing over your access token is reasonably safe.
The code is likely safe when:
- The OSS is maintained. There are commits in the last three months, and no Pull Requests sit unanswered for more than three months.
- It has many users. Watch the number of stars or downloads.
- It comes from a well-known company. That does not make it the most secure app in the world, but such a company does not want to be discredited over weak security.
How to make your OSS more trustworthy
You have an OSS tool, but few stars, or it is brand new. You still want users to trust your code. The tool is well maintained and fairly large, yet you are not known in the community and the number of users is small. How do you earn that trust? We had to ask ourselves the same thing, because we build an OSS tool that fits this description exactly. Why should new users trust us? Or you, if you have the same problem?
Tell your users what the credentials are used for.
We have been developing DX Scanner for a while now, an open-source CLI tool that measures Developer Experience straight from your source code. We know our software is secure and collects no user data. But we completely forgot to tell our users that.
Write down what data you collect and what you send, if the user allows it.
Some of our colleagues who do not work on DX Scanner told us they trust its security simply because they know us. We took that seriously and realized we should write down the article about how we do (not) collect data in our open-source tool.
Conclusion
If you are the user: an open-source tool is not automatically a secure tool. Always check any software that asks for your credentials.
If you are the developer: knowing that you build your software responsibly and securely does not mean your users know it. Give them a reason to trust you.
We wrote down the article on how we do (not) collect data. Read it here.
Want to stay one step ahead?
Don't miss our best insights. No spam, just practical analyses, invitations to exclusive events, and podcast summaries delivered straight to your inbox.