A blog for the enterprise open source community
Open source security debatedJay Lyman, February 10, 2009 @ 11:07 pm ET
The debate over the security of open source software is dusting up again with some recent criticism of inherent risk in open source software packages commonly used by enterprises, governments and others. While the criticism from Fortify, based largely on a previous report, comes in response to some UK government indications of an embrace of open source software, I believe that sweeping statements about the security of open source software don’t make much sense.
I’ve also been fortunate enough to speak with a couple of experts who agree: there is open source software that is indeed less secure than it could be, but there are also examples of open source software that has been put to the security test, by years of enterprise use, and has passed (think Linux and Apache here). The other point is that the ‘inherent’ insecurity argument could easily be applied to commercial software, which has its own history of gaping holes and severe vulnerabilities. The bottom line: there is good and bad, secure and risky software in both categories of open source software and proprietary software.
Ernie Park, who headed up his own team’s risk report that featured a nice mix of both open source and proprietary software in use, says the complexity of the software is a major factor in its security and risk. No surprise there, but what is perhaps more interesting is Parks’ assertion that security also seems tied to two other factors: popularity and money. OK, popularity is another one that makes sense — the more widely software is used, the more likely it is to be targeted for security holes. The money behind a software project or product, however, is a far more interesting factor. Basically, Park argues, software that has paid, dedicated experts ensuring its quality and security tends to be more secure than software that comes from a group or community of developers who may not necessarily make their living from it.
Park does, however, still see the benefits of transparency and community, arguing that “a well used and available forum drives awareness to issues, and indirectly facilitates rapid resolution for complex software, regardless of licensing.” While Park laments that open source software has no central vulnerability database or authority, he says that if the larger open source community could get beyond its resistance to the idea of such a body or such control, it could very likely take its transparency advantages and run with them, bolstering the overall security of open source software.
Another perspective comes from David Maxwell, open source strategist for Coverity, which for more than two years has worked with the U.S. Department of Homeland Security in the federal government’s Open Source Hardening Project. Maxwell similarly stays away from sweeping statements about open source as secure, open source as insecure, commercial software as secure or commercial software as insecure. Instead, he says while the quality and security of open source software is generally increasing, that doesn’t mean that the ‘more eyeballs’ argument typically heard from open source proponents is always valid. From Maxwell’s perspective, there is not much difference between open source and commercial software when it comes to integrity, with a range of good and bad in both categories.
As the U.S. and new administration of President Obama contemplate open source software, I expect a similar debate will be occurring over the security of open source. I would hope that it is judged on its merits and its record and put in the perspective of software in general, which is created by human beings and is by no means ever perfect and free of security vulnerabilities, open source or not.
Comments (4) Categories: Software