Should I make a project open-source being a non-expert developer?

Question

I'm going to start a project developing an app for a charity organization for free. I'm currently studying computer engineering and I doesn't consider me as a professional developer right now. I would like to make the project open source, but I aware that maybe I could make a security mistake and put the private data of the organization at risk. It would be easiest to find security vulnerabilities if my app is open source. What do you think about it?

brudgers · Accepted Answer

If you're not experienced enough to build a secure application, then don't build one. That's what being professional means - not doing work you are unable to execute to a professional standard.
The situation you are in is common. Someone wants work without having an adequate budget. In this case $0. Sure you might work for free. But a busy security professional that could do an audit probably won't.
Making the project open source doesn't mean you will get any help for free. Sure you might. But there are countless open source projects and you are the only programmer who is currently interested in this one. Making it open source isn't going to make anyone else more interested. There isn't an unmet need for projects with non-paying work.
If the app is important to the charity organization, it's fund raisers can raise funds from the usual sources for doing it at a level coming closer to doing it right.
Good luck.

_ah · Answer

If you're building the app for free, and you're considering posting code to boost your resume, these both sound like academic pursuits consistent with your coursework. If you are currently enrolled in a 4-year university, take your code and ask for feedback from your professors. It's a unique learning opportunity and shouldn't cost anything extra.

Jugurtha · Answer

You can start the project avoiding the main traps[0] and advocate and try to attract competent security people to make the application more secure, and build a community around that. You can also hire people to audit the applications, try and secure funding for the effort, and do what it takes to make the project successful.- [0]: https://owasp.org/

mimixco · Answer

It would only be easier to find security problems if someone actually audits your code, which probably won't be free.A good solution is to use an existing service with strong data protections to hold your actual content and then build your service to use authentication tokens with that service. There are lots of options depending on what kind of data you need to store, like Digital Ocean for a SQL instance or Firebase for JSON.

ystad · Answer

You should have someone audit the source prior to open sourcing it