Are open source systems inherently more secure than proprietary library automation products? What are some of the issues that libraries need to consider when choosing systems related to security?
It is my experience that both open source and proprietary systems can be implemented at very high levels of security. Likewise, without careful attention to technical implementation issues, any type of software can become vulnerable.
Open source takes a philosophically different approach to security than proprietary software. Since anyone can view the underlying coding of an open source product, it may be possible for hostile programmers to scrutinize it for vulnerabilities that can be exploited. Conversely, the entire development and user community of an open source application can likewise continually inspect the source code to detect and repair vulnerabilities. Naturally, the development community of an open source project has to be diligent, attune to security issues, and able to create and deploy security patches rapidly. Proprietary software places the responsibility for security on the organization responsible for its development. Since the source code is not available for public inspection, there may be times where vulnerabilities may exist but remain undetected. But when a security issue is discovered, the systems developers must act rapidly to create and deploy a fix to resolve the vulnerability before it can be exploited. In either case, the worstcase scenario would be a “zero day” vulnerability, where a vulnerability exists, is known by malicious agents, and no fix has been developed to protect the systems involved. In the event of a zero-day attack, developers must work very rapidly to create and deploy a fix and to mitigate any exposure or damage to data that may have taken place during the interval when the vulnerability was being exploited.
Among organizations such as libraries that may lack adequate technical support, there may be many implementations of systems based on older versions of the software in which all of the security patches available may not have been applied. Regardless of whether they use open source or proprietary software, libraries should strive to keep all their systems updated with the latest versions of the software. This approach will not only offer more protection from security vulnerabilities, it will mean that all recently-developed features or fixes to functionality will be available. Libraries are especially lax in implementing new versions of software in order to minimize disruption, deferring such updates to periods of slower activity. A regular practice of implementing minor updates as they become available should result in more stable and secure systems to support the library's operations and services.