Is Open Source Secure?

by Mark Stone

Related link: http://www.devx.com/opensource/Article/20111



DevX's Executive Editor A. Russell Jones suggests that governments avoid jumping on the Open Source bandwagon because Open Source software, by its very openness, is more vulnerable to exploitation. This attitude reflects a deep misunderstanding about how both security procedures work, and about how Open Source projects work.


His argument rests on three ideas:


  • Someone who is part of a project can place an exploit within the code: "the security breach will be placed into the open source software from inside, by someone working on the project."
  • While there is sufficient scrutiny on major projects to prevent this kind of exploit, since Open Source permits anyone to create their own distribution, a smaller, less scrutinized spin-off can easily have this kind of exploit: "distributions will be created and advertised for free, or created with the express purpose of marketing them to governments at cut-rate pricing. As anyone can create and market a distribution, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart."
  • The extensive peer review to which Open Source code is subjected doesn't suffice to uncover such exploits, because these exploits can be withheld from the publicly available source code: " the model breaks down as soon as the core group involved in a project or distribution decides to corrupt the source, because they simply won't make the corrupted version public."

Jones' conclusion: governments simply cannot afford to take the risk of using Open Source, even given the benefits its flexibility provides, because of these security risks: "To limit their vulnerability, governments can't afford to give everyone a choice, nor can they afford to provide access to the source code for their software."


There are deep misconceptions here about how Open Source projects work, and about what the differences are between Open Source and proprietary software. I want to start, though, by pointing out a much more important and much more disturbing theme.


Too often people assume that secrecy equals security. Nothing could be further from the truth. Today's strong cryptography is based on the assumption that an "adversary" will know both that something is encrypted, and what the encryption scheme is. The notion that hiding the means of encryption will somehow make the data in question more secure is a notion that has been obsolete since World War II. Strong crypto assumes, rather, that despite the fact that the encryption algorithm is a matter of public knowledge, that the data in question will remain encrypted and secure.


Open Source software is based on a similar notion of security. Hiding source code is a bad way to assume you'll achieve security, because even a powerful and highly proprietary company can't
guarantee that source code won't leak out
. Instead, security should be based on a worst-case scenario: assume your "adversary" has access to the source code.


Starting from worst-case assumptions is just plain common sense. Any other security plan is simply madness. Open Source software inherently takes this approach to security.
The best example of this would be the
Net BSD operating system, which is not only completely Open Source, but also has a security auditing procedure that would be the envy of any corporation.


Setting aside this fundamental philosophical difference about security, is Open Source really any more vulnerable than proprietary software in the ways that Jones describes?


Jones worries that someone from within the project could include code allowing some kind of exploit. How is this different from proprietary software?


Programmers, whether working on Open source or proprietary code, routinely include surprises in their code. Most of these are harmless; they're called Easter eggs. With proprietary code, there's little chance these will be uncovered once the binary ships. With Open Source, constant peer review will bring this code to light.


When these "surprises" -- intentional or otherwise -- do turn out to be security risks, Open Source appears to have a better track record at prompt and effective correction. Open Source projects respond with security fixes within href="http://news.com.com/2100-7344-5117271.html?tag=nefd_hed">days
to weeks
. Microsoft has taken href="http://www.silicon.com/software/security/0,39024655,39118331,00.htm">six
months to respond to a major security hole in Windows, and has a number of known but unresolved security issues with Windows.


Jones acknowledges that the Open Source community can provide an effective resource for identifying and addressing vulnerabilities. His claim is that because the source code is freely redistributable, a company or organization with questionable intentions could distribute a "hacked" version to an unwitting customer.


It's hard to see the force of this argument, or what it has to do with Open Source. If a government agency, or any other software licensee, chooses to use an unknown company of unverified reputation as its software supplier, all for the sake of saving money, then it takes a risk. This is true whether the software in question is proprietary or Open Source. There are any number of well known and reliable companies who supply and support Open Source software, and indeed for many application areas the vendor choices are more numerous -- and hence more competitive -- in the Open Source arena than in the world of proprietary software.


Jones closes his argument by questioning whether the Open Source community can do an effective job of policing itself, asking, in effect, "who's watching the watchers?" Again, one could ask this question all the more acutely of a company like Microsoft, that allows no outside or independent audit of its source code.


More importantly, one could ask this question of Jones' own company, DevX.


Journalism is a difficult profession, demanding a rigorous editorial line between "church and state". In this era of increasing media consolidation, it's important to think about who the investors in or advertisers are with any given media company. Before buying into the editorial line coming from any media company, one should first think about potential conflicts of interest between the company's revenue sources and its editorial stance. In other words, buyer beware.


DevX draws revenue from two sources: from online advertising, and from creating microsites for technology companies where it regurgitates corporate content under the guise of a nominally independent site. This is not exactly a business model to inspire confidence in editorial independence, particularly given that proprietary software companies, including Microsoft, figure prominently in DevX's revenue.


I wouldn't want to directly acuse Jones of bias based on conflict of interest. DevX's business relationships, however, do suggest that an argument like Jones' should be held to a higher standard of evidence and rational argument than he has offered us so far.

Has the openness of Open Source software created an added security risk at your company, or has it enhanced security at your company?


12 Comments

tverbeek
2004-02-14 05:04:52
peer editorial review :)
Did you perhaps intend to refer to "OpenBSD" rather than "NetBSD"? No slight against the Net* folks, but it's OpenBSD whose approach to security has resulted in so few remote exploits over the years that one can still count them using only one's thumbs.
johnhebert
2004-02-14 05:13:23
security is enhanced, because open source gives me choices
Excellent article, although I wish it went into a little more detail and depth.


The security at my company has been enhanced by open source software for many reasons, but I will list the two I consider the most important:


1. Security problems are disseminated quickly in public.
2. I can choose to run another application to replace the insecure application, if needed.


In the case of closed source software providers, security problems are _not_ disseminated quickly. Closed source software providers would rather keep the problem from public knowledge until the problem is fixed.


Concerning open source application choices: I assume it is cheaper to migrate from one open source application to another (let's say, sendmail to Postfix) if a patch cannot be made available quickly for an application security bug (which is usually not the case), than to migrate between similar closed source applications (say MS SQL Server to Oracle). In the case of some closed source applications (MS Internet Explorer) you can't uninstall it at all, as it is considered part of the operating system.


Since open source software is developed by a public community, it only made sense to build the applications upon open standards and protocols, therefore migration between similar open source applications is cheaper.

otto
2004-02-14 07:00:36
build from source
" the model breaks down as soon as the core group involved in a project or distribution decides to corrupt the source, because they simply won't make the corrupted version public."


Stupid.. if you're concerned about hidden security risks, just download the source, have it looked over and build from source.

crovira
2004-02-14 07:37:41
Open source is far more secure that closed.
Back before Bill Gates started whining about it, (in Dr. Dobb's Journal of Computer Calisthenics and Orthodontia,) ALL software was open source.


I worked on McCormack & Dodge's accounting system and that was open source. That was debugged with and through user feed-back.


For the government, I worked on other app.s which were open source. Actually, the concept of 'closed source' does not apply in government work except for classified stuff.


Before Bill came along, you had a hard time trying to sell closed source in the software business. Actually, you still do. There is NO WAY someone is going to plunk down a million dollars for software without the source.


That's why Microsoft is getting into games, trying to lock in users beyond its desktop with software patents, and so on.


It sees the end of closed source.

gilbertf
2004-02-14 10:10:26
NetBSD, OpenBSD, FreeBSD
Either it is NetBSD or OpenBSD doesn't matter that much. Those projects exchange code and information and they are usually closelly related to security and bugs.
nrlz
2004-02-14 15:18:10
good article
This is a good article about open source. Except I have a few bones to pick.


Too often people assume that secrecy equals security. Nothing could be further from the truth.


The latter part of the sentence is really an overstatement. Secrecy does play a part in security. Maybe not a lot but it does and it varies.


Starting from worst-case assumptions is just plain common sense. Any other security plan is simply madness.


That depends on how much security you want. Often times we don't need 100% security, maybe just 80% security is enough so it is not necessary to start from the worst-case scenario.


Open Source appears to have a better track record at prompt and effective correction. Open Source projects respond with security fixes within days to weeks. Microsoft has taken six months to respond to a major security hole in Windows, and has a number of known but unresolved security issues with Windows.


You are taking the general case of things. (And not taking the worst-case scenario as you mentioned.) Only Microsoft has such a track record of responding. Many other closed source companies which are serious about software respond just as well and sometimes better than their open source alternatives.

jjs
2004-02-14 17:13:50
Missing the point
"the model breaks down as soon as the core group involved in a project or distribution decides to corrupt the source, because they simply won't make the corrupted version public."


This makes no sense in his accusation. How do they get the corrupted version out there? Only three scenarios I can think of:
1. They don't release the code. OK, no problem, since that means it's not available from anyone.
2. They put the corruption in the source code. Guess what? Everyone sees the exploit, and the person who put it there is no longer trusted.
3. Corrupted binary, but leave the source clean - that works until someone compiles the source and finds out it's different (which is normally quickly). Again, those who corrupted the binary are not trusted.


Bottom line - Open Source PREVENTS this, because he's talking about hiding an exploit in plain site - very difficult!

nitroburn
2004-02-15 10:37:01
nice
I agree with many of your points of his ethics. After did you notice the gigantic microsoft ad on his article? A little biased. YES.


Government (at the US) is the one that sets the security ratings of operating systems. Our government uses linux in applications where it is needed. For instance for national security. open source yet no one knows what open source project they are based upon. That in itself makes it hard for someone to be able to setup an attack against it. Altho for desktop systems at a local school. dells with windows xp(i hate those things).


The main reason people critisize open source is because it is beyond their knowledge. I am learning programming right now. I will be the first to tell you I don't know shit! You can't critic open source if you don't know source!


Lastly, most security flaws are found by geeks. If a lot of geeks can look at source it is less likely that something will be exploited. As with closed source once a security hole is found and exploited it will be ongoing until it is patched.

musnat
2004-02-16 06:48:35
Biased article from O'reilly
I am sorry but I was hoping that divx editor was wrong. I have seen nothing but an answer which confirms the divx editor's arguments. First of all, the author tries to discredit the other person through accusations, which hint us that the author really got angry in a reasonable argument and just couldn't hold himself.


The divx editor proposes his arguments in a very sensible language, whereas the o'reilly author starts with bashing people and ends with bashing people. Between these two instead of addressing the arguments, he simply talks about other stuff and make bunch of claims.


Too sad people who support open source become too much dogmatic about these issues.

dave128
2004-02-16 11:57:12
Biased article from O'reilly
From you, I have seen nothing but an answer which shows that you have not read the article. Divx? It's DevX. Discredits through accusations? Any hint of that is only at the end of the article.


Stone's argument does not rely on accusations. He touts the security of Open Source software through its openness, and questions the safety of any software which relies on security through obscurity.


He also points out that some of the DevX Editor's arguments are equally applicable to closed-source software.


It might be a good idea for you to read an article twice before replying.

musnat
2004-02-17 17:58:24
Biased article from O'reilly
Cheap corrections like devx does prove that your whole support for open source is based on microsoft bashing. I have read the articles, yet it seems that your hate prevents you from making a logical conclusion and reasoning. The best way to understand whether an article actually answers another article is to look at whether it has personal attacks or not. Clearly O'reilly article has them, and it doesn't even address the concerns raised in the article, thus one has to conclude that this article is nothing more than zealtory. I don't think people are going to buy cheap shots at Microsoft or people who raise serious questions about certain issues in open source. This is not even remotely related with whether you are pro or anti Microsoft. You might be anti-Microsoft and still raise the same question, however many insecure anti-Microsoft people hate to see these questions and thus make personal attacks, that's why O'reilly article is very poor in taste and barely matches similar Slashdot editorials. Putting the dirty stuff under the rug will not make open source better. You are free to correct any grammatical errors, however the points made will remain here.
musnat
2004-02-18 00:39:09
nice
I don't know why so many people turn out to be idiots when it comes to Microsoft, but do you see the Microsoft banner ads on this very particular site? Even slashdot shows Microsoft ads? I don't know what to call a person who acuses someone of being biased based on the ads other than an idiot. We see more people on the open source side like these, I don't know why. Also it seems that people on the open source side seem to be more and more dogmatic about very obvious technical issues. People with psychological problems do not see a problem with being rude to others and even threat others so openly just to supress their ideas.