In the last few months, we at Frappe received decent traction from the large enterprises. Our first session with these companies included the presentation which briefed the technical stack of ERPNext and Frappe Framework. The moment we presented ERPNext and Frappe framework as an open source application, the quick follow-up question was:

They were apprehensive that if complete code base of a software is public, it will be easier for the hackers to locate the vulnerabilities in the software and misuse it.

I contest that open source applications are safer. To take the case forward, let's study the case of Windows and Linux. Below are arguments which explain how security aspects are better-taken care of in an open source software.

Windows is a licensed based (means non-open source) software which needs no introduction. It is used not just for personal computing, but also in millions of businesses every day. It's Easy to install, get trained and use. It works great, until (wait for it!) it doesn't crash. Yes, that's another bitter reality which goes hand in hand with its goodies. The issues in the windows computer like security breaches, virus attacks and OS itself crashing are pretty common ones. Perhaps that's the reason why market share of Windows PCs which is 88% drops to just 2% when it comes to windows server market.

We have Linux on other hands. It is an open source application, available for free for everyone. Its market share of PC users is just 2%. However, when it comes to Linux server share, it stands tall at 95%! Linux powers all the supercomputers existing today in the world.

The biggest differentiator between Windows and Linux is open source, and one of the major reason why Linux is more secure. Open source project has the source code published in the public domain, having not just the product team, but the product community keeping close eyes on the source code. Apparently, you have people from the community reporting the vulnerability issues and helping you make the application more secure.

For ERPNext as well, the community of user, developers, and bounty hunters have played a pivotal role in reporting the security flaws and in getting them fixed, for the benefit larger ERPNext community.

In this ever-evolving world, the requirement of the software users is also evolving constantly. Hence software also require upgrades to fulfill these needs (more so to remain in the business). When a software itself is being upgraded so often, it requires a check each time on its security aspect as well, to ensure that new upgrade doesn't introduce any leakages or vulnerabilities. Hence the question:

In my humble opinion, it cannot be answered in binary, like yes or no. It can only be answered by defining the process which does security checks and reviews before every release. Perhaps that's why ISO certification doesn't assign quality-tag on a company but acknowledges that the company does have processes in place to ensure the quality outcome. Quality cannot be absolute. It's a process, which goes on.

Conclusively, for an open source application, security is not a concern but a goodie. We are thankful to all the whistleblowers in the ERPNext community who contributed to making ERPNext and Frappe more secure. But as we learned above, it's a process. So do keep that coming.