A simple question: Open Source vs Closed Source; which is more of a threat to IoT?
In the vast realm of the software development world - there are always so many topics of debate; internet explorer verses firefox/chrome, tabs verses spaces, vi verses emacs and the good old open verses closed source debate. In reality; all of these debates are a matter of personal preference, with very little justification as to why one is better than the other - unless you are prepared to get into a debate similar to religion and politics.
Commercialism also helps the debate, especially when you have something to sell.
Mocana, creators of the NanoSSL library - took the time and the effort to write an easy to read and accurate whitepaper focusing on how OpenSSL may not viable to secure IoT devices. Ignoring the obvious sales pitch within; it is definitely worth a read.
The whitepaper does raise a number of accurate and valid points in regards to how massive and complex the code base of OpenSSL is, through to the lack of coding guidelines, lack of focus and haphazard documentation. But is this a true representation of all open source projects and should you avoid them at all costs?
Absolutely not - just be smart about how you integrate them into your project.
Open source projects are generally accompanied by a license; that is chosen by the author and defines what obligations, you as a developer have if you choose to integrate the open source code into your project. A comparison of various open source licenses exists and is definitely worth going over if open source is of interest to you. Of course, "developer friendly" licenses do exist, such as the popular Apache and MIT licenses.
Security by obscurity is a definite no-no - don't even go there.
Open Source libraries are favourable to a number of developers as the code is visible and as such can help build trust amongst developers. Not to mention as a developer, you can extract bits and pieces you need and re-factoring them to fit your own projects.
Another important factor is time-to-market; as a developer, you may not have the luxury of being able to build everything from scratch - so open source libraries are very attractive as someone else may have done 90% of what you need.
Closed sourced projects may be less prone to attack; as their inner workings are not publicly documented - but doesn't make them immune, as they can still have bugs. However, if an exploit is found; closed source projects may never be notified or even have a chance to get them addressed.
In any event - most bugs or exploits are typically a result of bad design or sloppy programming. A good development team will perform strict code reviews to scrutinize new code and catch potential issues - it is amazing how a lot of eyes on a project can help find problems, open source allows this to be done together as a community.
Don't become a victim in the open vs closed source debate, everything has its place. Just be aware of the risks regardless which path you follow, re-factor things when needed so your project not only be delivered, but also be secure and maintainable.
Regardless if your IoT project uses open or closed sourced libraries; there is definitely one thing everyone can agree on when it comes to IoT security. You must be able update your projects in a timely manner when a bug or exploit is detected and fixed.
KRACK Attack Breaks WPA2 WiFi Protocol
