4

I am working on a website and would like to have it under revision control. I have used git for earlier projects before and I like it. This project though is a website written in Django. I am totally for open source, but I am wondering if it would be a bad idea to leave the source code for the website public, so that someone with bad intentions could search the repository for security holes?

Of course I am not going to upload stuff that should be kept secret passwords, etc.

The site is going to be a webpage for a local sports club, so I guess that the security for the site don't have to be as high as for example an online shop.

So my question is, is it a bad idea to have a public repository for a Django website, or is it acceptable if I don't add the sensitive information?

I took a look at the thread Open Source vs Closed Source Systems discussing the same topic, but it rather discusses open source vs. closed source from a security point of view in general. Interesting discussion, however not enough for me to make a decision. In the thread a few people point out that it matters what kind of project you are working on. Could you give me some recommendations for my project with the following specifications.

  • Small webpage for local sport club.
  • No on-site payments.
  • No sensitive information in general except if someone would use same user information as for an other site.
  • One person developing (me), might be a few more.

What I have found out so far:

Pro open source

  • I am probably going to write better code if I know that it might be read by others.
  • If someone sees a bug they'll hopefully inform me.
  • Hackers know the common security holes anyway.
  • There is no or very small interest (profit) in hacking my site.
  • Contributing to the open source community.

Pro closed source

  • Security through obscurity => another layer of security.
  • If I or someone else working on the site would commit sensitive credentials by mistake.
  • Project is exposed because it will be directly accessible over the internet.
Community
  • 1
mseln
  • 151
  • 1
  • 6
  • 3
    In case you are not aware of it, Bitbucket allows you to host private git repos for free. – Paul Feb 19 '15 at 17:12
  • 1
    In my opinion it depends whether the code would benefit others. If it's a personal project used by you only, I'm afraid open-sourcing it won't give it enough attention to be reviewed by others for security holes, so you gain nothing. On the other hand, a malicious party will have all the code right there to play with and eventually find a vulnerability. –  Feb 19 '15 at 17:30
  • 2
    What research have you done? We expect you to do a significant amount of research before asking. There's *lots* on this subject on Wikipedia (e.g., https://en.wikipedia.org/wiki/Security_through_obscurity and https://en.wikipedia.org/wiki/Open-source_software_security) and on this site (http://security.stackexchange.com/q/76033/971 and http://security.stackexchange.com/q/11271/971 and http://security.stackexchange.com/q/13235/971 and http://security.stackexchange.com/q/51648/971 and many more). – D.W. Feb 19 '15 at 20:04
  • @D.W. actually I have to disagree with you http://security.stackexchange.com/questions/4441/open-source-vs-closed-source-systems does discuss a similar question, but does not answer what I am wondering. My question is more specific around a small **website** project and I was wondering if it would be a very bad idea to leave the source open for my project. – mseln Feb 19 '15 at 21:05
  • @mseln, The general reasoning explained in those answers applies to your situation as well. Your question doesn't make clear why you think they wouldn't apply to your particular situation. (cont.) – D.W. Feb 19 '15 at 22:29
  • 1
    That said, as the automated message says, "If those answers do not fully address your question, please ask a new question." If you have a specific question not covered by those resources, ask a new question, but I recommend that you show what research you have done, explain your understanding so far, frame a more specific question that doesn't overlap with what's already been covered in answers there, and explain how your new question is different from what has previously been asked. It's your job to make clear how your question is different and that you've done your research. – D.W. Feb 19 '15 at 22:30
  • @D.W. Thanks for the positive critique, I have edited the question and added that I was not satisfied with previous questions because my question is more specific. – mseln Feb 20 '15 at 08:48
  • Hint: Some companies pays you money if you find security vulnerabilities in their software. For Mozilla, this includes websites and services. Even *they* make their source code public on GitHub! See https://github.com/mozilla ;) – freddyb Feb 20 '15 at 10:33
  • 1
    Your updates don't show me why this should be reopened - it still is answered by the duplicate – Rory Alsop Feb 20 '15 at 12:12
  • @RoryAlsop I didn't find the thread that this thread is marked as duplicate for. When I searched for existing information, I searched for 'website, public, safe' for example. I didn't think this subject was so discussed already. I would probably not be satisfied with the thread that this thread is marked as duplicate for, but if you think it is a duplicate, I guess it is right and it can still be closed. I have gotten the answer to my question now, the rest I guess is only how you want to keep the site tidy. Either I can remove the question or you can leave it closed. – mseln Feb 22 '15 at 18:31

4 Answers4

12

If your website is secure, even the source code wouldn't help an attacker in a perfect world. But we do not live in this world.

By making the source code public you are simultaneously holding yourself to a higher standard coding wise, and introducing more risk. Since you're giving away your code to anybody who asks, you'd better make it rock-solid. (In fact, you should be doing this anyway, but I'm sure you know that!)

Releasing your source will allow for good, helpful people to point out bad things, and it gives a motivation for you to write solid code at all times. I'd say it's a good idea. However, you should talk about the risk with the website owner. Private repos do exist on GitHub and you can stand up your own Git server/local Git repo for private version control.

Suggested Reading:

Ohnana
  • 4,737
  • 2
  • 23
  • 39
  • I am the owner of the website so I think I can convince myself. _If_ the website would be hacked then I could bring it down a few days, wouldn't be any catastrophe. So you are saying that it may make the site even safer if I make the code public? I don't want to pay for a GitHub account and I think I am going to make it public then. What I basically wanted to know was if it is a big nono to make the code open. Thanks for the links. – mseln Feb 19 '15 at 16:28
  • 1
    @mseln If you're concerned about paying for github's private repos, look at http://bitbucket.org. They have free private repos, which sounds like it might be what you're looking for. – Tango Bravo Feb 19 '15 at 17:33
7

Will it make your site less secure? Yes. By a factor of .000000000000001%, give or take a zero.

First, who wants to hack a sports club website for a few email addresses?

Second, who wants to go through all of your code to decipher any mistakes or vulnerabilities.

Third, there are tons of sites using open source code (WP) that is sifted through by millions. Hackers would have much more to gain going through 1 set of code for millions of victims vs. your 1 to 1 relationship.

Fourth, most of the time sites are attacked there is the use of bot or software that scans through known attack methods. You having your code in public domain means nothing to this.

So really the only issue you have is if you have a colleague, friend, frenemy, or just outright enemy that knows you wrote this website and is secret genius enough and has enough time to parse through your code to find any openings. This is really really far fetched, but I guess it could happen.

blankip
  • 108
  • 1
  • 6
  • I like this answer for the practical implications rather than the theory. – Arturo Torres Sánchez Feb 19 '15 at 20:04
  • 2
    @ArturoTorresSánchez - I think there is at least 1000 times more chance someone says, "Hey I like your site, can I use your code?" You say, "Sure." And then a couple months later they say, "Hey I added a few things if you want to use them." This has been my experience with sharing code. I am sure back in the day I wrote some pretty unsecure code... that was never hacked. – blankip Feb 19 '15 at 20:55
4

The answer has conflicting opinions

Hiding the source code is called security through obscurity. It is generally recognized that security through obscurity is not a valid form of security. However, there is a contrasting ideal called "defense in depth." The idea there is that you never rely on just one layer of defense. If your source code is freely available, you are dependent on the security of just one layer: the security written into the source code.

The answer to your conundrum probably depends on a few factors:

  • Does the website manage money? If money is involved, there is a stronger incentive for someone to want to break the system. Defense in depth begins to look better, because anyone who would help you find bugs also has to decide if they'd rather make money instead.
  • How much do you expect people to assist in development? If nobody is helping you with making things more secure, the only people looking at the code have malicious intent. If you think this is something that could catch fire and take off under its own power, then it is more likely that white-hat hackers will find things and suggest fixes.
  • Does anyone know the website is using this source-package? Malicious individuals are more likely to need to travel from the website to the source-code, not the other way around. The easier it is to figure out which Git repo contains the source code for that website, the more of an advantage hackers have.
Cort Ammon
  • 9,206
  • 3
  • 25
  • 26
1

People with bad intentions are more than capable of finding security holes anyway. Open-sourcing the site likely won't lead to the third-party reviews that open source can sometimes lead to (for that to work, someone else needs to care enough to do them), but if security depends on keeping source code secret you don't have security. Just make sure to leave out passwords and the like.

cpast
  • 7,223
  • 1
  • 29
  • 35