Back to Blog
open-sourcesecurityphilosophy

Why Open Source Matters for Security Tools

November 15, 2024 5 min read | By Redshift Team
Share:

I don't trust closed-source security tools. Not because the people building them are dishonest, but because "just trust us" is a fundamentally broken model for software that handles your secrets.

The Trust Problem

Go read the landing page for any closed-source secrets manager. You'll find some version of: "your data is encrypted at rest," "we never see your plaintext secrets," "zero-knowledge architecture." Maybe a compliance badge or two.

How would you know if any of that is true? You wouldn't. The vendor could be mistaken about their own implementation. They could have a bug they haven't found yet. They could be under a gag order. You're trusting a marketing page, not a codebase.

What Open Source Actually Gets You

Independent Audits

Redshift's encryption implementation is at github.com/accolver/redshift. You can go read how we use NIP-59, confirm secrets are encrypted before they leave your machine, and check that there's no key escrow. You don't need to take our word for it. Security researchers and paranoid developers have the same access you do.

Backdoors Are Visible

Closed-source vendors can be compelled to add backdoors -- by governments, by investors, by acquirers -- and they may not be allowed to tell you about it. This isn't theoretical.

An open source backdoor would show up in a diff. That's a meaningful difference.

The Project Outlives the Company

Companies fail. Products get acqui-hired into oblivion. When your closed-source secrets manager shuts down, you're scrambling. When an open source project's maintainers move on, the community can fork it. All the time you invested in integration and tooling isn't wasted.

You Can Fix It Yourself

Need something the maintainers won't prioritize? Build it. You're not sitting in a feature request queue hoping the next quarterly roadmap goes your way.

Security Through Obscurity Is Still Wrong

Some vendors argue that hiding source code makes their product more secure. This has been a discredited position in cryptography for decades. AES, TLS, every serious security primitive you rely on daily -- all publicly documented. Strong security comes from sound algorithms and correct implementation, not from hoping attackers can't read your code.

Obscurity doesn't prevent security problems. It hides them. Some of the worst breaches in recent memory came from closed-source systems that looked perfectly secure from the outside.

Open Source Isn't Perfect

To be fair, open source has challenges:

  • Funding: Maintainers need to eat; sustainability is hard
  • Review capacity: Just because code can be reviewed doesn't mean it is
  • Supply chain attacks: Dependencies can be compromised

But these problems all exist in closed-source software too -- you just can't see them. Open source at least gives you the option to verify.

Redshift's Approach

Redshift is MIT licensed. The CLI, the web admin dashboard, the crypto libraries -- all public. If you don't trust us, read the code. If you find a bug, open an issue. If you want a feature, submit a PR.

Try Redshift and see for yourself.

Ready to try Redshift?

Own your secrets with decentralized, censorship-resistant secret management.

Get Started Free Read the Docs
Back to all posts