I’m developing a big community/forum website and I’d like to upload my code to GitHub to have at least some sort of version control over it (because I have nothing other than a .rar file as a backup, not even SVN), to let others contribute to the project, and also perhaps using it to let my potential future employers see some of my code as some sort of curriculum.
But what I’m wondering now, and I’m suprised I haven’t seen anyone mention it before is the security aspect of it. Isn’t publishing the code of a website a HUGE security hole? Is like giving a potential hacker or anyone who would like to find any potential exploit possible, even considering that the critical files aren’t uploaded (database passwords, authentication scripts, etc.).
Of course that there are millions of projects uploaded to GitHub and no one will find mine just ‘by chance’. But if they look for it, it would indeed be there.
Bottomline: my problem is not about copyright or licenses, but others finding exploits in my website.
I’m I missing something here?
5
I’m I missing something here?
Yes. Relying on people not knowing your source code to prevent them from finding security exploits in it is known as security through obscurity.
The problem: it doesn’t work. Skilled hackers don’t need the source code to find and exploit vulnerabilities. They’ll do some fuzzing to find input that causes problems and then use their knowledge of how the underlying OS/language/framework works to identify a vulnerability.
It is widely agreed that having the source code public increases security by enabling well-meaning people to find vulnerabilities and fix them, or at least tell the developer about them. There are two important reasons why this works:
- There are generally more well-meaning than malicious people
- Any vulnerability found by a well-meaning person will be fixed for everyone; hackers are far less likely to collaborate
Of course it doesn’t work with pet projects that have few active users, but those are also exceedingly unlikely to be targeted by a hacker.
5
First off, you can use (distributed) version control without making the repository public. You can just create a repo on your local computer, and push to/pull from other computers. You can also upload the repository (giving you more backups and easier collaboration) without making it public. GitHub offers private repos for a fee, Bitbucket does the same and makes small (5 persons or something) private repos free. Of course, then you don’t get the other benefits you mentioned.
The security aspect is rather small. There are many, many worthwhile attack vectors which can be tested out easily without looking at the (server-side) source code (like being attentive to GET and POST parameters, checking cookies and session handling, adding inputs that ought to get escaped and check if they are, etc.). If you’re vulnerable to any of them, a determined attacker can exploit them reasonably quickly without looking at the source code. More obscure and harder-to-exploit errors are (probably) also harder to spot in the source code, so again, you don’t lose much.
On the other hand, making it public and accepting contributions may attract people who can spot exploits, without ill meaning, and tell you about them (or even fix them themselves). This goes doubly if it’s really popular but you’re not a security expert (no offense, but you don’t sound like one; for example, you didn’t mention security through obscurity and how your concern is not a case of it).
4
BitBucket has free private repos and supports both git and mercurial.
Setting aside the issue of security and whether making your code public would enhance it or not, you can setup a source control system on your machine yourself. In case of git it’s trivial, just initialize a local repository and you’re done, but setting an SVN also isn’t a daunting task. Maybe an hour or two following the tutorials, if you have little prior knowledge on how to setup SVN.
So you can still benefit from source control, regardless whether you end up using an online service or not.
Most malicious hacking is done anonymously. Some person in Russia running a script that scans hosts for open ports, or what-have-you. No one is going to explicitly pour over your code just to find a way to hack in to do harm. Not unless you really piss someone off.