Ounce Labs, makers of Ounce 6 code analyzer for vulnerability scanning, say that recent criticisms surrounding the security of Open Source Software are off-base and, in some cases, counterproductive to security itself.
“Most of the security arguments against open source software are misleading. There is a myth out there that because the bad guys can see the source code, there is more security vulnerability,” said Ounce Labs founder and CTO Jack Danahy. “The relative security of software – whether it’s open source, commercial or home-grown – is much more dependent on whether security was a top priority during the development cycle, or just an afterthought.”
“Some in the industry will have you believe that there are inherent security problems in the development methodology of open source software that expose users to greater risk of security breaches. In our experience with customers, and in our work supporting the open source community, we have found strikingly little difference in the overall security of open source programs and those developed in a more proprietary manner.”
When people think 'Open Source', they instantly think free software and Linux. Linux, which is a Kernel not an operating system, is Open Source, but Linux is only as good as the developers that make it. When Linux is packaged with other software, creating one of the numerous operating system distributions, unless the added software is coded securely, it can be just as open to exploitation as those packaged on Windows.
This is seen in daily mailing list notices and package updates. Just this week alone, there were security patches released for Apache, Real VNC, BIND, Open Office, KMail, and Firefox, all Open Source projects (week of 03/09/09).
As Danahy said, if security is implemented from the start, then applications are developed securely and most of the common flaws are caught and fixed early. Peer review is largely responsible for this, not -- no offense to Mr. Danahy or Ounce Labs -- static code scanning.
Since everyone can see the code, security problems are located and easily fixed. The problem is there are countless Open Source projects, but very few developers or dedicated security researchers who have the time to go over code and test things. The lack of peer review in this case is why there is always going to be an application with a security issue.
Open Source applications have and always will take a beating when commercial vendors, that use closed source code, have to compete with it. Fear is a strong selling point, so is pain. Scare them with the fear of security issues, and the pain of already being exposed because of them. If the company making the pitch against Open Source knows the prospect has faced security issues, then the level of fear and pain used only increases.
This tactic can go both ways as well.
“The bottom line is this,” continued Danahy, “there is an endless supply of both secure and vulnerable software across the commercial, open source and proprietary domains. The assessment of the scope, severity, and situational impact of those vulnerabilities should be a core process in any software acquisition, regardless of the source.”
True, there is also the consideration of business practicality. Sometimes, Open Source just isn’t what a company needs for one reason or another, but that should never stop that company from seeking alternatives and investigating Open Source options.