Open Source Security Problems?

by Steve Anglin

Related link: http://www2.theserverside.com/home/thread.jsp?thread_id=16689&article_count=6



Posted by Jordan Zimmerman on TheServerSide.com:



"A recent research note from two analysts at the Aberdeen Group calls open-source software and Linux distributions the '2002 poster children for security problems.' Of the 29 advisories issued through October by the CERT Coordination Center at Carnegie Mellon University in Pittsburgh, 16 of them addressed vulnerabilities in open-source or Linux products."






What's your experience with open source software and security issues? What do you think of these findings?


4 Comments

spaceman
2002-11-25 13:17:51
But, they're known, and quickly fixed.
I prefer it that way. That means to me that there are more people looking over the code.


With no code to examine (closed source) you're only left wondering about the ones that you don't know about and are never fixed. Or at least until the next 'upgrade'.


Sure, people don't apply patches. But, I do. And if you care about security so do you!

anonymous2
2002-11-25 14:04:19
Don't be complacent
There are well-discussed problems with this report, and it would be crazy to switch back to windows for security reasons.


But flawed as it is, do not dismiss this report
for 2 reasons:


1. The vulnerabilities in openSSL, openSSH,
and BIND are embarassing and a real pain.
As a sysadmin, I had to jump to patch
my systems. Way more embarassing than
the existence of the problems, though,
are all the sysadmins that did not
patch their systems, even after weeks
and weeks. The fact that open source
_can_ be more secure does not mean it
_is_ more secure unless everyone acts
accordingly.


2. MS employs many smart people, and they
can change their habits. Open source
may be more secure now, but I am less
confident of that being true in 3 years.
What I do know is that in 3 years, I'll
still be patching systems, swearing
under my breath but grateful to everyone
who does the security audits.



DerekVadala
2002-11-26 10:51:11
Proprietary vs Open Source
How come these comparisions are always Windows versus Open Source/Linux. Doesn't that give an unfair advantage to Windows? After all, there are a lot of vulnerabilities in OSS that shouldn't necessarily be applied to Linux. For example, the BIND vulnerabilities. Seems like these studies should be proprietary versus open source. In that case it would take into account exploits found for things like Coldfusion, JRun, Cisco routers, etc. I think you'll find that the ration is even if you look at problems in this way.
anonymous2
2002-11-26 13:03:47
ok you say Open Source vs Windows !
OK so how come windows don;t patch their own vuln for weeks and even months of delay ???
Is this a good security? And what if a cracker knows this weeknesses and i don;t , and there is no patch to solve them ??? Is this a secure system?
I don;t think so !!
So tell me do you put in this "Open Source" all of the *BSD and Unix like clones ????
I think that OpenBSD/NetBSD/FreeBSD and the new MicroBSD are more secure then every M$ out there on the market.If we start to count the vulns between closed source and Open soruce i think OSS wins.
So don;t put titles like this please.