Nothing to hide: why we view open-source as a value-driven solution

The decision to use open-source can be dictated by many factors, but for PRISMA the fundamental purpose is to give back to the wider gas community. In this blog post, Jörg Adler, Senior Backend Engineer at PRISMA, explains why we see this approach as central to our core values as an organisation - and dispels some myths along the way, too. 

Whether it’s checking your hair in the mirror before a Zoom call or cleaning your home before visitors arrive, most of us are familiar with the human tendency to take more care of things when we know others are watching. 

But what has this got to do with open-source software? 

First, let’s talk quality. One of the main benefits of OSS is that the transparency it creates invariably improves the quality of the code within it. And the truism that underpins this is the same as the one behind the common scenarios presented above – namely, that most of us raise our standards when there are prying eyes around. 

The reason this is important to acknowledge is that there remains a common misconception that the perceived security risks of OSS outstrip the benefits. This was brought to light during the recent PRISMA On Air virtual event, when during a Q&A session a user questioned whether it was dangerous to have our crypto-shredding solution as open-source. 

At PRISMA, Crypto-shredding is among the many technical frameworks that we’ve built as open-source. Since the advent of GDPR, which provides users with the legal right to have their personal data deleted, crypto-shredding has become particularly important as we’ve navigated the often conflicting demands of data protection and the intrinsically immutable nature of our audit logs. 

However, I strongly believe that not only do the advantages of OSS significantly outweigh any downsides, but that on closer reflection those perceived downsides are not actually downsides at all.   

But before that, let’s delve a little deeper into what I see as the key benefits of OSS: 

Quality control 

As touched upon above, the sense of pride that incentivises many of us to tidy up for visitors or preen ourselves ahead of a video conference call also applies to software developers when charged with writing code. If they know their code is going to be visible to outsiders, human nature dictates that they’re likely to go the extra mile when it comes to ensuring its quality. In short, the temptation to cut corners is reduced when your work is going to be judged and scrutinised by others, especially when they’re likely to have a keen sense of what makes good or bad ‘work’. 

Giving something back  

From the language we use to the operating system we run on, PRISMA relies heavily on OSS that has been developed by others. So when we produce internal software that might be useful to the wider community, we feel a sense of duty to make it available to them. Simply put, if we have a piece of software that isn’t directly related to our core business, if it’s possible to make it open-source, we’ll do so. 

What’s more, outsiders using our OSS will often use it in different ways to how the original author had in mind. As a result, they’re more likely to track bugs, find edge-cases, request new features, review changes, ask questions, improve documentation, and even contribute their own code to the project – all of which will serve to improve the quality of the software to the benefit of everyone. 

Brand building 

We see OSS as an important part of what makes PRISMA an attractive organisation and one that’s viewed as a positive force within the industry. By using OSS to create visibility around what we do and how we do it, we enhance transparency – one of our cornerstone values – helping to boost PRISMA’s brand identity and in turn the ability of others within the community to get a sense of how we work, perhaps even acting as an incentive to join our organisation. 

The principle of fairness  

Most people familiar with PRISMA will be aware that one of our guiding principles is fairness – helping to create a level playing field in which all of our industry counterparts are able to operate in a fair and transparent marketplace in which everyone has equal opportunity to flourish. We believe that the decision to openly publish reusable parts of our software is a logical consequence of this principle, giving others in the community the chance to benefit from our work. 

So now that we’ve covered the main advantages of OSS, let’s tackle the persistent question of security. 

There’s a phrase that sums up the thinking that drives many of the concerns around OSS and security, and it is “security by obscurity”. 

In other words, many people are of the belief that the best way to protect something is to conceal it from view. But when it comes to OSS at least, the contrary is actually true. Here’s why: 

The logical fallacy so often at play here is that bad actors will be deterred from trying to access your systems if it’s hidden away. In fact, the cold, harsh reality is that if you have something worth hacking, the motivation for bad actors to do everything they can to seek out your vulnerabilities is greatly enhanced. 

Given this stark truth, rather than hiding your code and hoping for the best, a far more rational and effective response is to focus on reducing your vulnerabilities. And how best to do that? Through OSS. 

How can OSS increase security? 

Image

In a nutshell, making software available to everyone makes it possible for everyone to scrutinise that software.  Of course, this includes bad actors, but it also includes the overwhelming majority of good actors who share a common interest in optimising your software’s quality and security. 

Making your software accessible to the public allows anyone that might want to use the code to also challenge it. People from different backgrounds and areas of expertise will bring their own perspectives to the table, augmenting your knowledge pool and helping you to keep tweaking and fine tuning the software as time passes. 

Now, it hopefully goes without saying that not everything should be open-source. Passwords are the obvious exception, and, as touched on already, any software that is central to your business and would cost your company economically if it were to be adopted by others should also be kept closed. 

But as a general rule, our firm belief at PRISMA is that to keep our digital assets and data secure, while creating a fair, prosperous and harmonious environment for the entire gas community, open-source software – whether for crypto-shredding or anything else – is by far and away the best solution.