Open VS Closed Source Software: Which is more secure?
This is the presentation given at the quarterly "Free Beer Sessions" answering the age old question of whether open source software is more secure than their closed or proprietary counterparts.
The presentation gives an overview of the philosophies and history driving both methodologies and provides case history examples to answer the question.
11. Richard Stallman
1983
“ Free software' is a matter of liberty, not price.
To understand the concept, think of ‘free’ as in ‘free speech’
”
not as in ‘free beer’
12. Linus Torvalds
1991
“
Hello everybody out there using minix. I'm doing a (free)
operating system (just a hobby, won't be big
”
and professional like gnu) for 386(486)AT clones.
13. Eric Raymond
1998
“
People are imperfect. What we have learned through the ages, though,
is that combining lots of people creates a better end result, ...
For some reason, we forgot that when it came to developing software.
”
14. OSS Definition
1. Free Redistribution
2. Source Code
3. Derived Works
4. Integrity of The Author’s Source Code
5. No Discrimination Against Persons or Groups
6. No Discrimination Against Fields of Endeavor
7. Distribution of License
8. License Must Not Be a Specific to a Product
9. License Must Not Restrict Other Software
10. License Must Be Technology Neutral
Source: www.opensource.org
16. Source code of the software is not
available, or the licensor does not
grant the freedoms to use, modify,
and distribute that are granted by
free software licenses.
- Source: Wikipedia
17. “ Who can afford to do professional work for nothing?
What hobbyist can put 3-man years into programming,
finding all bugs, documenting his product and distribute for free?
- Bill Gates, 1976
18. “
There are fewer communists in the world today than there were.
There are some new modern-day sort of communists
who want to get rid of the incentive for musicians and moviemakers
and software makers under various guises.
They don't think that those incentives should exist
- Bill Gates, 2005
19. “
Linux is a cancer that attaches itself in an intellectual
property sense to everything it touches
- Steve Ballmer, 2001
25. “
In an open source project, to make a mistake and have it
known to the entire development community and your
friends is mortifying to the extreme …. the last moment
before hitting the Enter key – to commit a change or send
a patch out into the cold cruel world of your peers – is
”
the longest moment imaginable
- Michael H. Warfield
senior researcher Internet Security Systems
26.
27. Factors to Consider
Time to compromise
Speed at which flaws are fixed
Number of vulnerabilities
Major virus outbreaks
Trust
28. Time to Compromise
• Time taken to compromise an un-patched
Linux vs Windows XP machine
VS
29. Time to Compromise
Linux Windows XP
3 Months* 4 Minutes (pre SP2)*
18 Minutes (post SP2)**
WINNER
Source:
* Honeynet “Know Your Enemy: Trend Analysis” (2004)
** Symantec’s Internet Security Threat Report (2004)
31. Bugs
Article “Apache avoids most security woes” found
Apache’s last serious security problem was
announced in January 1997
Article “IT bugs over IIS security” found Microsoft had
reported 21 security bulletins over the period - 8 of
which rated highly dangerous in comparison to 0
for Apache over the same period
Source:
eWeek &
www.dwheeler.com/oss_fs_why.html
34. Fixing Flaws #1
Vendor Number Advisories Average Time to
Resolve After
Discovery
31 11.2 days
61 16.1 days
8 89.5 days
Source: SecurityPortal
WINNER
36. Fixing Flaws #2
The U.S. Department of Homeland Security’s Computer
Emergency Readiness Team (CERT)
recommended using browsers other than
Microsoft Corp.’s Internet Explorer (IE) for security
reasons. Microsoft had failed to patch a critical
vulnerability for 9 months, and IE was being
actively exploited in horrendous ways.
Source: US Department of Homeland Security, CERT
37. Fixing Flaws #2
Mozilla Firefox fixed its
According to Symantec Corp.,
vulnerabilities faster, and had fewer severe
vulnerabilities than Internet Explorer
WINNER
Source: Symantec, 2004
39. Fixing Flaws #3
eWeek Labs’ article “Open Source Quicker at Fixing Flaws” listed
Serious flaw was
specific examples of more rapid response.
found in the Apache Web server; the Apache
Software Foundation made a patch available two
days after the Web server hole was announced.
WINNER
Source: eWeek, article: “Open Source Quicker at Fixing Flaws”
40. Virus Outbreaks
Computer viruses are overwhelmingly more
prevalent on Windows than any other system.
42. Virus Outbreaks #1
Microsoft IIS features twice as often (49% vs.
23%) as a malware distributing server.
WINNER
Source: Google, Online Security Blog (2007)
44. Who to Trust? #1
European Parliament calls “on the Commission and Member States to
promote software projects whose source text is made
public (open-source software), as this is the only way of
guaranteeing that no backdoors are built into
programmes [and calls] on the Commission to lay down a standard
for the level of security of e-mail software packages,
placing those packages whose source code has not been
made public in the ‘least reliable’ category”
(5 September, 2001; 367 votes for, 159 against and 39 abstentions).
Source: European Parliament A5-0264/2001
45. Who to Trust? #2
• April 2000 discovery Frontpage contained a
deliberate “backdoor”
• Remained undetected for more than 4 years
Source: TruSecure, Paper: Open Source Security
46. Who to Trust? #3
• Some time between 1992 and 1994
• “Back door” inserted in the DB server InterBase
• Vulnerability stayed for 6 years
• Borland released source code July 2000 as OSS/
FS
• Firebird launched
• 5 months later CERT identified the vulnerability
and it was patched shortly after
48. Comparison EULA to GPL
EULA GPL
Percentage of license which limits 45% 27%
your rights
Percentage of the license which 15% 51%
extends your rights
Percentage of license which limits 40% 22%
your remedies
Source: Cybersource, a comparison of the GPL and the Microsoft EULA
49. The Tally
Factor Open Source Closed Source
Time to compromise ✔ ✖
Number critical bugs ✔ ✖
Speed at fixing flaws ✔ ✖
Number of Viruses ✔ ✖
Who to trust ✔ ✖
50. Conclusion
• “Openness” of source code is 1 factor of
many when considering security
• Being open doesn’t automatically mean
more secure
• Underlying driving motives for open source
can lead to better software development
• History has shown that good open source
projects tend to be more secure then their
closed counterparts
• It’s a question of who to put your trust in
52. References
• Why open source? (David Wheeler)
• IBM, The security implications of open
source software
• Open source versus closed source
security (Jason Miller)
• Open source security: A look at the
security benefits of source code access
(TruSecure)
5
2