Article
Open Source Software - Inherently Secure or Inherently Untrustworthy?
Background
Whilst Open Source software is – strictly speaking – defined in terms of a specific type of licensing structure, in practice the phrase is generally understood as referring to software developed by communities of people devoted to working collaboratively, with the resultant source code being freely available to all for further development and enhancement.
This “openness” – characterised both by the lack of secrecy surrounding the underlying code and also the royalty free availability of the software itself – serves as a radical counterpoint to the traditional concepts underpinning “proprietary” software, where software vendors go to extreme lengths to safeguard the secrecy of their source code in order to preserve the market value of their product and prevent unlicensed copies from undermining that value.
Not surprisingly, the IT establishment was initially highly skeptical – and somewhat “sniffy” – about the open source movement, characterising it as communities of geeks locked in dark rooms, living on pizza and caffeine, bashing out code through the night with scant regard to the rigorous disciplines of formal software development lifecycles, change control, QA and so on that (in theory at least) apply in the R & D centres of the leading commercial software vendors. However, despite the early scepticism, open source software is now achieving “mainstream” acceptance and – perhaps ironically for something originating from a radical alternative movement – a major factor in that acceptance process is an increasing perception that open source code is inherently more secure than traditional proprietary software.
Is this perception myth or reality?
Radical Alternative Becomes Mainstream
Although the majority of open source developers remain a part of traditional online communities, major corporations with their roots in proprietary technology are becoming increasingly involved in these endeavours. For example, according to a report in April 2005, the development of Openoffice (an open source alternative to Microsoft Office) is being driven by 50 developers from Sun Microsystems, 10 from Novell, and only 4 active community developers.
Some well known open source projects include Linux, Firefox, MYSQL, Apache and Openoffice. Take up of these technologies is on the increase. For example, according to a June 2005 study(1), 56% of large North American companies are using Linux, with a further 19% planning to use it. Significantly, 38% of these companies saw better security as a benefit of open source software.
Firefox web browser is probably the best known open source product amongst the general public. It also prides itself on its security – for example Firefox does not support VBScript or ActiveX controls. So while it is known primarily for being free, enhanced security is a highly promoted feature.
Open Source Software – The Security Debate
Open source technologies are seen by many as providing enhanced security benefits. Firefox is just one example. Indeed, there is a perception among many that open source applications such as Firefox, are inherently more secure, but why is this?
Eric Raymond, a legend in the open source world first coined the phrase that “given enough eyeballs, all bugs are shallow” – the “Many Eyes” argument. That is, since open source software can be viewed by anyone, problems tend to be found sooner than they would if the code was closed to the outside world as proprietary software is. This would in turn tend to make open source products more secure than their proprietary counterparts.
However, despite “many eyes” looking at the code, the fact of the matter is that many open source products still have plenty of security holes. The commonly used ftp application wu-ftpd (despite having less than 8,000 lines of code) had security bugs that lay undiscovered for years. Recently, the X windows system used as the GUI layer on virtually every Linux machine was found to have a major vulnerability despite its near universal use in the open source world. And so on.
So although “many eyes” may be looking at the code, they are not necessarily finding all the problems. Manually reviewing code can be tedious and difficult, and the many eyes aren’t necessarily looking for security problems, only at whatever interests them.
Open source projects can be very complex. For example, Openoffice, is a massive project with around 10 million lines of code. Many eyes may help find some holes in this monster, but just how many eyes are needed? The open source community is only so large, and divided up amongst thousands of projects, the talent is inevitably spread rather thinly.
Further, many eyes won’t resolve an inherently insecure design. While proprietary products are usually designed from the ground up, open source products often simply evolve over time - not a recipe for well architected security.
So while “many eyes” may help find problems with software, they are certainly not going to find all the problems, especially with a complex project or something with inherently insecure design. Open source certainly has the potential to be more secure, but only if rigorous security auditing actually takes place. It is not more secure by nature.
Security In The Proprietary Realm
The open source community claims that proprietary products practice “security by obscurity” – i.e. there may be security holes, but as long as no one can see the code they are going to be difficult to find and exploit. The typical example of security by obscurity cited by open source aficionados is “any product from Microsoft”. Indeed, a Microsoft employee some time ago suggested that the security community should show restraint in releasing information about vulnerabilities, perhaps taking '“security by obscurity” to an extreme.
The argument against security by obscurity derives from Kerckhoff’s Law from the field of cryptography, which states that the acid test of the security of a cryptographic system is that it should still be secure if potential attackers know everything about it except the key. Eric “Many Eyes” Raymond, citing Kerckhoff’s Law, gives his “Reformulation for the 21st century”: “Any security software design that doesn't assume the enemy possesses the source code is already untrustworthy; therefore, *never trust closed source*.”(2)
Whilst members of the open source community tend to deride the security of proprietary software (particularly the concept of “security by obscurity”), it has to be said that many people see it in precisely the opposite way. To them open source software is written by a radical alternative community (that might include hackers) who have no accountability or interest in rigorous software development methodology.
Commercial and government organisations perhaps understandably take a conservative approach to security matters and are reluctant to follow the open source route. Statistics on Firefox usage show that it peaks on weekends, suggesting the take up amongst enterprises is relatively low. However, this conservative faction should bear in mind that the track record of Microsoft’s enterprise software – by far the most widely used in the global market – is far from impressive from a security perspective. Despite the methodologies and resources that this giant can bring to bear in its software development lifecycle, it continues to produce software with a surprisingly large number of vulnerabilities (Scanit conducted a study of dangerous remote code execution vulnerabilities reported in 2004 for three major browsers, Microsoft’s Internet Explorer, Mozilla based browsers, and Opera. The results showed that a fully patched Internet Explorer was vulnerable to publicly known vulnerabilities for 98% of the year, compared to 17% for Opera and 15% for Mozilla.)(3).
Caught In The Crossfire
Unfortunately, the debate about the relative security of open source and proprietary software often gets caught up in the broader “evangelical” battle between the two camps.
In one corner are the open source zealots who are uncompromisingly anti commercial proprietary software. Most of the time Microsoft takes the brunt. At the most extreme end of this spectrum you have, for example, Distributed Denial of Service attacks on www.microsoft.com, that are often assumed to be a salvo fired in the war between free and closed software.
In the other corner is big business, with Microsoft leading the way. Its “get the facts” campaign has been criticised by many for misleading total cost of ownership comparisons of Windows versus open source linux operating systems. In South Africa, an advert was removed by a regulatory body for unsubstantiated claims after Microsoft claimed that its operating system offers better security than a bank safe, and was so secure that hackers would become extinct.
In this battle, misinformation and distortion comes from both sides, and does neither side any credit. Rational debate about technical security issues gets buried in the broader propaganda war, and it is difficult for most IT professionals to know what to believe.
Conclusion
So, is open source software inherently more secure than “mainstream” proprietary software? Or is it untrustworthy, written by wild radicals who couldn't give a fig about structured software development lifecycles?
Certainly, there are many examples of good, secure open source projects. Firefox is just one. Equally a lot of open source software has numerous security vulnerabilities. At the same time, the leading proprietary enterprise software in the global market is notorious for its security vulnerabilities.
Interestingly, a 2001 report(4) on the rising phenomenon of open source software published by the UK Ministry of Defence (who, not unnaturally, can be regarded as “hardliners” in the security world) concluded that open source software should not be regarded as inherently less secure than leading proprietary software. The report did not state that it should be regarded as inherently more secure – but did refer to the fact that a leading UK insurance company offering insurance against hacking demanded a 25% premium if the insured party was running Windows NT (which at that time was the leading global proprietary enterprise operating system).
Though it may sound like sitting on the fence, the only real conclusion that Safecoms can draw is that the security of any given software needs to be looked at on a case by case basis. You cannot say that any open source software is or is not likely to be more secure, or argue the same for proprietary software. Each application or product needs to be treated in isolation, and then praised or damned by its actual security record.
David Cahill
Security Consultant
References
(1) http://www.information-age.com/briefing_rooms/it_infrastructure/management/source_material
(2) http://lwn.net/Articles/85958/