The popularity and adoption of open source software and databases continues to grow. Even the government is catching on. Yet there are still concerns about the reliability of open source solutions. How reliable is a product that is developed in all openness? Can't malicious people just get hold of it? Or does transparency make things safer?
Watching your fingers
"When you get looked at, better code is created," wrote one of the developers in the PostgreSQL community recently. This is where the power of open source solutions lies. Through collaborative development, but also through the fact that all sorts of people can look over their shoulders and "think something of it," developers are, as it were, forced to write better quality code that is clear, robust and compliant with standards. PostgreSQL, for example, has become a very robust open source database system, mainly thanks to the large community around it that is constantly watching everything that happens.
One of the most publicly visible open source projects in the Netherlands of recent times is the CoronaCheck app. The ambition to be more transparent led the government to choose PostgreSQL. All the code, testing, documentation, everything around the development of the app has been published on Github. Of course, sometimes that is very exciting. For example, one of the developers involved in this project recently told us during a meetup of the PostgreSQL Usergroup NL. Because everything was developed in complete openness, the media were also watching and they sometimes publish beta versions with all kinds of bugs and unfinished looks. This can have an enormous impact on public opinion, but it also means that the developers are extra keen on quality.
The idea of building and developing in complete transparency is not new. The FBI, for example, only uses open source solutions. They start from the idea that what they cannot see, may not be trusted. That transparency is exactly what is lacking in licensed software. Yet there are still those who argue that it is better to work according to the closed-source principle and to use non-disclosure clauses to keep development in-house. As the client, you can of course cover certain things with contracts and liability clauses, but they are of little use if the damage has already been done. Conversely, if an organization performs penetration tests or other security tests on your open source solution, you can be sure that quality is being delivered because everything that happens is immediately visible. Even if someone missed something. The bottom line? The time-honored principle of social control. You can't hide anymore and everything is open and visible on the table. That enforces quality. The feeling that it is done 'together' and everyone can and may contribute, also contributes to the final result. Vulnerabilities and mistakes are seen very quickly and immediately addressed by the community.
Yet there is a danger in this idea. If you assume that everyone is watching and that someone somewhere will discover that there is a potential threat or weakness hidden in your database, you can also become lazy. So quality is not only in the code, but also in the processes. How do you build your tests, what can you test and when do you test what? After all, you want not only the source code to be transparent, but also your development process, your testing process and its results. If you opt for open source, you must have the necessary knowledge in house or at least be well advised.
Open source is the way forward
Open source is the way forward," said State Secretary Knops recently. The transition to open source is part of the Digital Government Act. The government is now also aware that openness and transparency benefit the quality of digital solutions. The transition to open source will also require organizational changes from suppliers, "including the support of communities that develop, maintain and further develop the open source software and databases and that, in the event of acute problems with the software, can act quickly and incidentally," says Knops.
Still in doubt?
Are you and your organization on the eve of a database migration or a new data platform to be built? Would you like to know whether an open source database is worth considering for your organization? Or would you like advice on the security of your current database environment? Feel free to contact us, we are glad to help.
Other related blogs: