In this article we’ll discuss the claim made by proponents of open source software that such software is more secure. Is open source really inherently more secure than closed source commercial software? If so, why? And if not, why do so many have that perception? Read Article
Is Open Source Really More Secure?
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
Is Open Source Really More Secure?
Who claim that? A bunch of zealots that don’t even know what they are talking about. Open Source is not more secure. A security vulnerability is first a bug. And neither Open Source Software, neither Proprietary Software are exempt of bugs. So, in any software you can find bugs, like security related bugs.
The point is not to know if Open Source is more or less secure that proprietary software.
The point is, in the case of OSS, everybody can see the code, everybody is free to find and report a bug.
The point is, in the case of OSS, all the infrastructure involved (bug reporting software like bugzilla, mailing lists to discuss issues, developpers hearing what others are saying) is build to find and triage bugs even if they are security vulnerability.
The point is, in the case of OSS, finally, developpers take care of users and respect users, and develop software with security in mind. And even if they didn’t think of security, there’s some people around here that will point security problems when the software will gain some popularity.
“The point is, in the case of OSS, everybody can see the code, everybody is free to find and report a bug.”
This is of no use if you’re not a programmer. I wouldn’t know the first thing about how to view the source code inteh first place, much less what I’m looking at or how to fix it if it’s broken.
“The point is, in the case of OSS, all the infrastructure involved (bug reporting software like bugzilla, mailing lists to discuss issues, developpers hearing what others are saying) is build to find and triage bugs even if they are security vulnerability.”
This is not unique to OSS software and I can think of two large corporations who foster a sense of community to get feedback from users; Adobe and Microsoft. Both have extensive newsgroups for both the public and beta testers and both have avenues for offering new feauture reauests for specific apps.
“The point is, in the case of OSS, finally, developpers take care of users and respect users, and develop software with security in mind. And even if they didn’t think of security, there’s some people around here that will point security problems when the software will gain some popularity.”
Again, not all OSS software is this way and in many cases I’ve run acorss people who give you the standard RTFM or “you’e a noob so learn it like I did and quit bugging us with stupid qustions” responses.
OSS is no different, in any way shape or form, except for one area, you get access to the source code. This in and of itself is not all that useful to the majority of users for apps like FireFox, OpenOffice, or The GIMP as we’re not programmers and we’re not going to easily find programmers who are willing to make changes to the apps code for us and maintain them if the changes are not allowed back into the main source ode tree. If a proprietary app vendor is willing to give us the features we want and OSS apps are not then we’ll go with the proprietary app every time. Once the OSS community gets this concept through their heads and begins to work with non-programmers within the community and treat them with respect as users they might find their softwre gain in acceptance a whole lot more. Sure, there are excepions to this rule such as Apache and some graphics software (FilmGIMP for instance) being used by film production houses but these are the exception and not the rule.
I don’t know if Adobe and Microsoft represent the exception or the rule but I do know that a couple utility apps I run in Windows offer the same kinds of forums and feedback requests that the developers read and respond to. While not a Windows app yet, the developers of Konfabulator are another great example of this development model extending into the proprietary app space.
“The point is, in the case of OSS, everybody can see the code, everybody is free to find and report a bug.”
This is of no use if you’re not a programmer. I wouldn’t know the first thing about how to view the source code inteh first place, much less what I’m looking at or how to fix it if it’s broken.
I think he said everybody is free to read the code and is free to find flaws,bugs,etc, which is true.However he didn’t
say everybody is capable of finding one.
Again, not all OSS software is this way and in many cases I’ve run acorss people who give you the standard RTFM or “you’e a noob so learn it like I did and quit bugging us with stupid qustions” responses.
This part of the OSS culture.Not so very big issue if you have stamina and realy show the willingness to do some research at first hand yourself.This is not propietary world
where you pay and demand.Most of the people are volunteers.
Etiquette is the key.
A shallow article that belabors the obvious and arrives at an obvious conclusion.
Source availability is a potential threat if the source is closed and a very few people acquire unauthorized access to the source.
Source availability is a threat if the software is open and a trusted developer adds malicious code.
Users count more than developers. Source availability is irrelevant to users.
Closed source software trusts no one unless they have been granted access. Open source trusts everyone.
The number of eyes that are allowed to look at source code has no bearing on the ability on the security of that code.
“Source availability is irrelevant to users.”
In the windows world perhaps, but in *nix land id say having source availaible is often rather handy.
My personal gripe against closed source software is based around trust issues i have with not being able to see what random developers on the other side of the world are doing with my computer when I run their application.
Really, why should i put any trust in anyone if they’re unwilling to show me explicitly what their program does and how it works?
enloop: Source availability is a threat if the software is open and a trusted developer adds malicious code.
Basically malicious or poor code can be added by trusted developers (just because of poor coding quality or sometimes maybe even intentionally) as easily whether the source code is open or not. It is all about who you want to trust and who not. Anyway, with open source you can check the source code and compile software yourself, with closed source you (usually) cannot.
Open source allows YOU to fix a problem even if nobody else will. (this involves paying someone to do it for you)
Closed source doesn’t give you this freedom. You’re at the whim of the company who controls the source code.
Open source isn’t more secure, but it also isn’t less secure.
This is of no use if you’re not a programmer. I wouldn’t know the first thing about how to view the source code inteh first place, much less what I’m looking at or how to fix it if it’s broken.
Even if you aren’t a programmer, you benefit indirectly from this. The whole reason open source works at all is that there are so many programmers (relatively) out there. So for popular projects (and it’s important to distinguish popular from unpopular projects here), there are a lot of people looking at the code, and fixing bugs and security flaws in the process.
If someone has the ability to understand and modify source, they are, by definition, a developer.
As for trust, they are plenty of reasons for someone not to release source other than attempting to deceive users. Earning a living by selling your skills and your code rank right up there.
By the same token, I am not a developer, and the presence of all this source code on my Linux installtion has no bearing on whether or not I use any given piece of software or whether ot not I trust its developer. A developer code add maliciouos code and I would have no reason to expect that anyone would ever find it. Why should I trust that someone acting at random will voluntarily review and alter code anymore than I should trust corporate developers who are hired and paid to do that specific job?
this so-called article added absolutely NOTHING of value to the ongoing battle over closed vs open. It barely rises above the level of essays of the average high school student.
As far as the “When closed becomes open” section, no mention was made about those who deliberately open previously closed code and whether they have fallen prey to crackers because of
it.
Many of you have identified that the development model known as open source has no real bearing on the security of the resulting software, as compared to the development model called proprietary. One would be hard pressed to *prove* otherwise.
What is certain is that open source development allows for software to be developed at a lower cost than proprietary development. Not only do the maintainers get the help of the empowered “end-user developers” in fixing bugs and adding features, but they also avail themselves of many preexisting open source packages that can be used to expand the functionality. Commercial open source software can be developed and sold for a lower cost than a competing proprietary package.
Once people see the open/closed source debate not as a conflict between two religions but as the competition of two products in a marketplace, it will be clear that proprietary software cannot compete with open source.
What a boring article that introduces no new facts and resolves to no conclusion.
a little from A, a little from B does not cut it .
“In the windows world perhaps, but in *nix land id say having source availaible is often rather handy.”
That’s a symptom of a lack of standard reliable binary distribution symptom for open source apps. It’s a symptom of a problem, not a benefit for normal users.
Stupid article topic. Really, you’re going to tell me that the closed efforts of an entity who’s sole purpose is to generate profit- can be more secure- than something community driven, where code is seen by -thousands- of eyes?
honestly, it shoudln’t even be a question. Microsoft wins in the marketplace because they have sheer weight in terms of resources and manpower. But that’s on the scale of their markets.. the world has a lot more geeky programmers with time to kill than Microsoft could ever hope to employ.
What’s up with osnews *cough* news items lately?
If someone has the ability to understand and modify source, they are, by definition, a developer.
I guess I could be called a developer then? No…I doubt it, I’m just a user with a a fairly solid clue.
To benefit from source code availablilty you dont have to be a programmer (erm, or developer if we use your wording), for example I can recompile my kernel to include only the drivers I need and not the drivers for a million other pieces of hardware that I dont own nor ever will.
The fact that *I* may not be able to be bright enough to pick up on bugs in gpg doesnt mean no one else is, like in gnppg the ELG singing/encryption bug (which was very very non-trivial). The developers didnt notice, a user (or is it developer? it wasnt a gnupg developer iirc at anyrate) did, now the nature of this bug is that it wasnt a simple easy to find mistake in the source code, I however am quite happy that someone did notice as it shows the level of inspection that at least one random person undertook in regards to the gnupg source. That makes me trust it a whole lot more.
You dont have to give away your way of earning a living by making the source visible to others, PGP for example..
I can, and do, compile my own kernels. Tha doesn’t mean I’m qualified to write or modify kernel code. I’m simply follwing some paint-by-numbers instructions. I can, and do, manage the rough equivalent on Windows by not running services, et al, I don’t need. Those activities have nothing at all to do with development. I’m not an auto mechanic, but I can put gas in my car.
The fact is, though, that I resent and regret most of the time I spend tweaking — and learning to tweak — Linux. I no longer see that as much of an advantage. I’d be much, much happier if I could devote that time and energy to something useful or entertaining, rather than chasing down libaries or wondering if Version 0.86-5.-01 of one piece of code will work with Version 1.008.0a2 of another.
As I said, if someone has developed the professional skills to understand and alter the source code that comes with their Linux distribution, then they no longer merit being called a “user”, especially in the pejorative since used by some developers in reference to anyone who cannot or does not write code.
And, again, the source on my Linux machine does me no good. It does not make my machine run faster or better. It does not give me new capabilities.It’s presence does not increase, or decrease, my confidence or trust in the developers who wrote it. (That’s because I lack the skills and interest to assess those qualities and have no way of knowing if any given piece of code has been quality reviewed and/or tested by anyone, including its developer.) I can delete all of it and not miss it at all.
Stupid article topic. Really, you’re going to tell me that the closed efforts of an entity who’s sole purpose is to generate profit- can be more secure- than something community driven, where code is seen by -thousands- of eyes
open-source is a double-edged sword. you also have thousands of blackhats looking for holes. however, rootkit and exploit developers are doing quite well reversing Windows, so proprietary isn’t safe either.
i guess my point is: there’s no substitute for securing coding practices and heavy auditing.
This is all about choice, you dont have to compile anything from source, I usually dont, its a option, use a binary based distro like debian. If on the other hand you want to compile everything with your hardened gcc, then go ahead and use Gentoo with the respective changes.
The fact that its not useful to you does not mean its not useful to anyone.
And I think being a developer and a user are definitely not mutually exclusive.
At any rate, I’m uninterested in continuing this as this isnt the place
>Who claim that? A bunch of zealots that don’t even know what
>they are talking about. Open Source is not more secure.
I think its stupid to say that Open-Source is more secure in general but its strange that popular Open-Source programs are often more secure as there popular commercial counterparts.
f.e
Apache vs IIS
Evolution vs Outlook
FireBird vs Internet Explorer
SSH vs RDP
etc.
A few points
* It all depends on a case by case scenario.
* You need many case by case scenario and underlying, stable arguments to proof such point as solid.
* Known vulnerabilities do not say everything. There could be unknown, semi-known, reasons for being known, etc.
And please take a look at OpenVMS, then think again…
Not so…
Even if the user isn’t a programmer, by having the source, the user is free from any shackle from the “development group” that produced the code (well, the degree of freedom will depend a lot of the license with which the code was published).
All in all, and looking at the most common case… a GPL or LGPG license, if the group is dismantles and disapears from the radar, the user is then free to:
a) learn how to program and make the kind of support needed by himself;
b) hire someone to perform a) for him.
In a closed source world, that isn’t an option and will only lead to “reinventing the wheele”…
Cheers…
Yes it is.
Where is said FireBird i ment FireFox but i am sure
FireBird is more secure than MS SQL.
This a very simple example about why open source is not exempt of bugs, like security related bugs, but how with the OSS approach you can secure your app with help of other hackers looking at your code:
http://mail.gnome.org/archives/desktop-devel-list/2004-October/msg0…
And please take a look at OpenVMS, then think again…
I would love to do that.I doubt wether is runs on x86.
if you need reading other point of view on same matter, try :
http://www.theregister.co.uk/2004/10/22/linux_v_windows_security/
Quite different conclusion…
Here’s my experience from an open-source project for which I was a devloper for some time (Crystalspace 3d engine). I have made good and bad experiences with the open source model.
The positive point was that the developer team grew rather big very easily. In a software company, people sign a contract with their bosses and become developers that way. From that point, they start reading the code and must start writing code almost at the same time. In an open-source project, I can read lots and lots of code and become a developer by knowledge, not by contract. It’s still mostly black-and-white, either you are a developer or you aren’t, but crossing the line is much much easier and you’re not messed up when it does not work as you expected.
The negative point I saw was that the code was, despite being available to sooo many eyes, _full_ of bugs, that is, bombs to be triggered. If the project had been of any security relevance (and not a 3d engine) then my advice would be not to use it where security counts, for at least 10 years to become a bit less buggy. NOTE that this project involved 10-20 very capable developers and two very capable project leaders.
What I want to say is that being open source is no magic that blows bugs away. The code was so buggy because it was NOT read again by anybody, or at least not by people willing to fix the bugs. People don’t scan the code for bugs because they *can* do it (most of them, at least). People scan the code for bugs when that is a guideline of the project, usually bundled with code clean-up and documentation of the various modules. The only exception is a developer making this his own guideline voluntarily (= because he/she can’t stand seeing bugs everywhere) – that’s why I did it. But for that, you must be an involved developer, otherwise you won’t understand the code.
I would love to do that.I doubt wether is runs on x86.
Depends on your definition of ‘running’. You could…
*) use ‘simh’, a virtual machine or emulator, but its rather slow. On a fast x86 it might have a decent speed.
*) use eisner.decus.org for a free account.
*) as non-x86 solution: grab an Alpha of eBay (be sure it is able to run OpenVMS) and start playing. EV5 and EV56 are not very expensive (100-200 EUR/$) and deliver quite decent speed.
*) HP is gonna port it to AMD64.
Hobbyist license is free btw. VMS manuals can be bought from eBay, too (recommended).
The security advantage one has if the source code is not visible to the crackers is also a sort of pitfall. It might tempt the programmers to get lax on security, to even choose a fundamentally flawed software design (like embedding a web browser deeply into the operating system). It is often seen, that at the beginning of a project (or a mayor codebase change a la APACHE 2) the security of the OSSoftware lags a bit behind that of its proprietary couterparts. Lots of security relevant bugs are beeing found during the first months. After this periode of stabilisation the good security of the software design begins to show its benefits. To know that the source code WILL be available to the bad guys motivates to make the software secure BY DESIGN, not relying on the head-start one has if the source is not available to the crackers.
I might also add, that having security-savvy programmers around helps a great deal, might even be the more important question than open or closed source. Because if the DESIGN is inherently insecure due to rookie programmers like me having no idea what security is, no closing or opening of source code will help.
I’d like to add that the worst thing (at least in the short run) for security is to open the source of a long-closed project. Immediately, crackers can find single points where the system could be attacked. But to fix these, one usually needs a broader view of the code. And to make it worse, a project that has just opened the source does not have the developer force to fix the bugs.
See the “opening” of WinNT4 / Win2k source code for example. Things might become different though if the code stays open for ten years after that.