Open and Closed Source Code. Errors and Situational Bugs.
This article, or rather a series of articles, was prompted by a user's question about the Panic Button (as of 2021 - the project is closed). "Doesn't closed code contradict the security norms that are promoted in your course?" Open and closed source codes are perceived by users as black and white, good and evil, dangerous and safe – and this is a misconception. I propose to clarify how things really are.
Any application consists of code written by programmers. Usually, the code is hosted on special services like GitHub or GitLab: this can be a cloud service or a solution operating in the corporate environment of a company. Any code is initially open; it is just that in programs with so-called closed source code, it is open to a limited circle of people, usually developers, while in programs with open source code, it is open to an unlimited circle of people.
Here is a small piece of code from the Panic Button program.
As you can see, the code itself is a set of numbers, letters, and symbols, and it cannot be executed in the operating system. The set of code needs to be transformed into an executable file using a compiler: in Windows – it is exe, in Android – apk, in macOS – dmg. This process is called compilation.
The feature of open code is that any specialist can independently compile an executable file based on the source code and, of course, view the code itself. If the code is closed, users are provided only with the executable file.
This does not mean that such a file is a cat in a bag: one can check network requests, system activity, and ultimately try to decompile the code, in other words, restore the source code from the executable file. We will discuss this in a separate part of this series of articles.
So far, everything still sounds as if open code is very good, and closed code is very bad. For now, let's take this on faith and analyze it in the context of each threat or problem that an application may carry.
What threats can an application pose?
- errors,
- situational bugs (unforeseen reactions),
- vulnerabilities,
- backdoors,
- hidden functionality.