Open-source security
Many people assume software is more secure when its code is hidden from the public. Open-source security challenges that idea by allowing anyone to inspect the code, identify vulnerabilities, and suggest improvements.
Learning how open-source security works can help you better understand how modern software is protected, why independent security research matters, and the trade-offs involved in making code publicly available.
First, let’s define what open-source software is and how it differs from proprietary software.
Can't see the video? Watch on YouTube →
What does open-source mean?
When software is “open source,” its code is publicly available. That means anyone can use, view, or contribute to it.
Almost everyone uses open-source software or proprietary products that include open-source components. Examples of open-source projects include the Linux family of operating systems, the Chromium browser (on which Google Chrome and Microsoft Edge are based), and the messaging app Signal.
But this raises a question: how does open-source software stay secure if everyone can view it? Surely that makes it easier for criminals to find and exploit vulnerabilities?
How open-source security works
The idea behind open-source security is that software can be made more secure when anyone, from security experts to interested novices, can poke at the code, find vulnerabilities, and offer improvements.
Think of it as crowd-sourced security testing. With more eyes on the code, bugs can be found and fixed more quickly – a process that’s now accelerating exponentially due to AI-powered vulnerability discovery tools.
To open-source or not?
The open-source approach to software development and security comes with trade-offs.
While open collaboration has many benefits, it can also create opportunities for malicious contributors to introduce vulnerabilities. This happened in 2024, when a hostile actor added a backdoor to an open-source Linux utility called XZ, creating a massive security vulnerability in software that depended on it. Other times, apps will go without regular updates because the volunteer developers behind them don’t have time to keep up with the latest software development and security best practices.
Not every company chooses to make their software open-source. For example, the Windows and macOS operating systems are closed-source, or “proprietary.” However, companies that make proprietary software typically still need to find a way to assess vulnerabilities beyond their in-house testing routines. Often, they’ll utilize third-party security audits, penetration testing, and bug bounties. That’s what we do at 1Password! Third-party review and validation gives our team another way to engage with the security community and harden the security of 1Password products.
Ultimately, software security depends on a number of factors. That’s true whether an app is open-source or built from proprietary code.
1Password and open-source
While 1Password isn’t open-source, we rely on open-source software and support the open-source community. For example:
- 1Password utilizes an open-source implementation of the AES cryptographic algorithm
- We published our passkey library for anyone to use
- We created our Electron hardener and published it open-source
You can find even more public releases if you poke around our GitHub page!
If you’re an open-source developer, you may be eligible for a free 1Password Teams Starter Pack account. Contact us to see if you qualify!
