A reply to the "Is Mondo open source" forum thread from 2016:
I know this was years ago, so I’d love it if, but I’m not hopeful that, Monzo’s attitude to Open Source might have changed.
This was such a painful thread to read. Yes, it’s unthinkable that a regular bank would open-source their code, in the same way that it’s unfortunately unthinkable that they would have reduced transaction time if they hadn’t been forced to, or that they would use standard 2-factor authentication methods. The banking sector have various delusions:
- firstly their security needs are different from (greater than?) the rest of the tech industry, and so they need different methods
- secondly that their use cases are legitimately so much more complicated, so they can’t possibly use the same tools and practices as the rest of software
One of the reasons I and many others love Monzo is it’s supposed to be the antidote to these ways of thinking. It’s supposed to be modern.
So it’s so disappointing to see people advocating for the same misguided security through obscurity arguments. Aside from the basic fact of people being able to read your code to help you find bugs, there’s an important psychological component to this: In security, you should be extremely deliberate about knowing what your secrets and your walled gardens are - your private keys & passwords, your firewalled local domains, your DMZs. When you rely on security through obscurity, people end up being incredibly fuzzy about where their secrets or vulnerabilities are: You can commit sensitive information to your central repository because it’s not open; you don’t have to worry about solving a security problem in a hacky way right now 'cos no-one can see it.
The fact is, zero-day vulnerabilities in closed-source programs can and often have remained unfixed for years and years. There is nothing like the vibrancy of the open-source security community keeping everyone honest, and pointing out issues in your security logic.
It’s hard to prove absolutely empirically that closed-source software is less secure, because you just don’t know what you don’t know in terms of how many zero-day vulnerabilities for closed-source systems are out there, and how many of them would have been different if it was open source, but from all the myriad serious problems we’ve seen in Windows vs Linux, Internet Explorer vs Firefox, even negative stories like the way Heartbleed in OpenSSL was handled, it seems absolutely clear to me that open source software is ultimately way more secure than closed source software. There is a general consensus in the security community that open source software is probably more secure, with some evidence.
The other part of this is about business risk, and again, I think the arguments made here are somewhat misguided.
I completely agree with @mitar that what’s happening here is that the code is being massively overvalued.
The first thing is, people probably won’t steal your code. I work in open source and look at open source code all day long. It’s incredibly difficult to simply lift and use anything wholesale. Very occasionally I can inspect others’ code to see how they solved a problem, but even then it’s never a perfect solution for my use-case.
Even if I literally did want to replicate Mondo wholesale, I didn’t have any different business requirements, I would still need an exact equivalent team of developers with the same skills and the same processes to even put the thing together right. It’s incredibly hard and slow to work on other people’s code that you had no hand in writing, which is why developers have a strong tendency to try to write code from scratch even where very good quality code exists for them to copy.
The fact is, the code is the least important part of all this. Once I’ve seen you solve a problem I really don’t need to see your code - there is plenty of research showing that students will declare a problem impossible to solve, then when shown that it is in fact possible, can then solve it amazingly quickly. Once I’ve seen Monzo achieve something, I can probably come up with a way of solving it that’s better than how your code did it, because it’s been proved to me that it’s possible, and I can see the broad shape of how you did it, so I can iterate on it.
The things that are valuable and unique to Monzo are the concepts of new ways to handle banking, the elegant designs that solve those problems simply for users, and the team of people who have built ways of interacting with each other allowing them to continue to solve new problems just as elegantly.
Everything here apart from the Monzo employees can and will be copied and built upon by competitors - the only thing stopping them is licensing, copyright and patents. But opening up your code will hardly help them - they’re very unlikely to copy it. Also, to the extent that Monzo are unable to stop competitors copying them, it’s actually only a good thing for humanity - the banking tech moves forward, led by Monzo.
Cases where the code actually matters are only where you’re solving a really difficult mathematical or logical problem in a completely new way (a new search algorithm for finding data faster, a new compression algorithm that could revolutionize communication like the fictional one in the show Silicon Valley, a new NP-complete problem foe enhanced security). Even in these cases, others will likely solve them very fast as soon as they’ve seen it’s possible. Also, in most cases, it’s almost unconscionable to keep these new solutions secret - they should be contributed towards the benefit of all mankind. The most famous case of this sort of business-case closedness is probably Google’s search algorithm, but again I would say them continuing to keep it secret at this point - where that algorithm defines how much of the world finds information - is also pretty damn unethical.
Some more interesting articles: