My point would be this: your app is not more “secure” because it’s private. It still has all the same vulnerabilities as it would if it were public. Although obviously it’s easier to find a vulnerability if you have the entire code. I think security is often an afterthought to a lot of private backends because it “feels” safer. There are also plenty of ways to leak code and figure out what technology someone is using. Also exploits happen but usually backends are hacked by going through the front door, AKA someone’s username and password. The problem with open source projects often isn’t people finding exploits, but exploits being introduced by others on accident or on purpose. Obviously this can be mitigated but it’s always a risk. Specifically I keep most of my code private not because I think it’s special but because I don’t think it’s “special” enough, meaning it won’t add anything that’s not already out there. Open source works well for things that don’t have to worry about security and credentials but it becomes a real pain in the ass. It takes a lot more effort to manage an open source project effectively.
A key exists for my front door. If I leave the key in the front door it is effectively open. If I leave the key in a locked box, it's more secure no? Sure you can break open that box and extract the key. So if I hide the box, then it's more secure right? Now you have to search for it. It is more secure, but not 100% secure, many people will be deterred. Pen Testing frequently identifies information leakage, so I will have reduce that - reduced but not eliminated.
In short, I'm still taking my key out of the front door, and I'm sure my insurers think my house is secure enough.
The problem with open source projects often isn’t people finding exploits, but exploits being introduced by others on accident or on purpose.
I would be more worried about those being added in closed source projects.
Take the xz incident, having the code people were able to reverse engineer what was going on.
But on the CrowdStrike incident, while people engineered why it crashed the machines, this could have been someone adding a exploit in a jiatan way to exploit it later.
Many places you commit what you need, check what you need, but if someone had added some xz jiatan level thing... who would know? how long it would go unoticed?
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
My point would be this: your app is not more “secure” because it’s private. It still has all the same vulnerabilities as it would if it were public. Although obviously it’s easier to find a vulnerability if you have the entire code. I think security is often an afterthought to a lot of private backends because it “feels” safer. There are also plenty of ways to leak code and figure out what technology someone is using. Also exploits happen but usually backends are hacked by going through the front door, AKA someone’s username and password. The problem with open source projects often isn’t people finding exploits, but exploits being introduced by others on accident or on purpose. Obviously this can be mitigated but it’s always a risk. Specifically I keep most of my code private not because I think it’s special but because I don’t think it’s “special” enough, meaning it won’t add anything that’s not already out there. Open source works well for things that don’t have to worry about security and credentials but it becomes a real pain in the ass. It takes a lot more effort to manage an open source project effectively.
A key exists for my front door. If I leave the key in the front door it is effectively open. If I leave the key in a locked box, it's more secure no? Sure you can break open that box and extract the key. So if I hide the box, then it's more secure right? Now you have to search for it. It is more secure, but not 100% secure, many people will be deterred. Pen Testing frequently identifies information leakage, so I will have reduce that - reduced but not eliminated.
In short, I'm still taking my key out of the front door, and I'm sure my insurers think my house is secure enough.
I would be more worried about those being added in closed source projects.
Take the xz incident, having the code people were able to reverse engineer what was going on.
But on the CrowdStrike incident, while people engineered why it crashed the machines, this could have been someone adding a exploit in a jiatan way to exploit it later.
Many places you commit what you need, check what you need, but if someone had added some xz jiatan level thing... who would know? how long it would go unoticed?