Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security of Open vs. Closed Source Software

Posted by michael on from the flame-retardant-suit dept.

morhoj writes "Cambridge University researcher Ross Anderson just released a paper concluding that open source and closed source software are equally secure. Can't find a copy of the paper online yet, but I thought this would make for an interesting morning conversation. You may not agree with him, but anyone who's on the BugTraq List can tell you that open source software isn't as bug free as we would all like to think." I found Anderson's paper, so read it for yourself. There are some other interesting papers being presented at the conference as well.

14 of 349 comments (clear)

  1. Security Bugs are inevitable by Nerant · · Score: 4, Insightful

    Security bugs in software are inevitable : it is bound to happen , sooner or later. A properly setup system can mitigate some of these problems (ie. chroot, modified security kernels). What my concern is is how long and how public security disclosures are, and how long the affected vendor takes to issue a bugfix.

    --
    Be kind. There are too many mean people out there already.
    1. Re:Security Bugs are inevitable by dnoyeb · · Score: 5, Insightful

      I think we should be careful to draw a distinct line between a Security 'flaw' and a 'bug'.

      A flaw is an error in judgement. A bug is an error in coding. The original poster ended his statement that Open Source has lots of bugs. This is unrelated to security unless they are specifically security related bugs.

      In any event, the speed at which you can lock down the Fort HAS to be a consideration.

      I mean, We have planes flying in Iraq and Afganistan right now. They are being shot at all the time, but they move fast enough to get out of the way. OpenSource moves faster than closed source so I can't possible see how the article writer concluded they were equal.

      Equally buggy, yes. Equally secure, puhleez.

  2. Duh... by sootman · · Score: 5, Insightful

    Security != number of bugs. There's 'severity of bugs' and 'speed of fixes', not to mention the OS's and software's design in the first place--think permissions, user spave vs. kernel space, etc.

    --
    Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
  3. Maybe... by ins0m · · Score: 4, Interesting

    The trade-offs:

    Pros:
    Closed-source: No one can see your code, thus eliminating obvious exploits (buffer overflows, race conditioning, etc.) from being quickly jumped on. Less chance that an external developer will accidentally or intentionally misuse some of your libraries or otherwise write in exploitable code.

    Open-source: Everyone can see your code, thus allowing a multitude of additional glass-box testers to help patch things more quickly to adapt around problems a project leader may/may not see. Quick turnaround on patching of code.

    Cons:
    Closed-source: Limited field of testers; slower turnaround on bug/exploit fixes when even reported (can go on unreported for months, or even when reported, may be ignored or shelved indefinitely).

    Open-source: Since everyone can see your code, some black-hat punk is invariably going to find some exploit and blast your distributions for it. Also, QA is nigh impossible to timely enforce when 100's of developers submit patches, sometimes anonymously.


    Opinion: Both may seem to be even; however, the timeliness of a fix can make all the difference in security, and waiting days vs. weeks or months for a patch can make or break an information-driven business. Also, even if an open-source project is patched with an exploit ingrained, there will still be a quick turnaround on patching it, as there is for any bug. IANA genius, but at least from a business standpoint, it would seem that quick and usually-reliable beats slow but usually-guaranteed.

    --
    Never attribute to Hanlon that which can be adequately attributed to Heinlein.
  4. Which tend to be patched faster? by Pentalon · · Score: 4, Insightful

    I haven't read the paper yet, but I would say that if generally any two particular pieces of software have the same number of bugs or security issues, the open source software will benefit technical server groups more for the ability of those groups to analyze the code and make their own fixes if necessary, and for the way in which the community generally very quickly responds to discovered flaws. Closed source software does not tend to respond as fast or offer the flexibility of allowing users to analyze the code. Of course, I haven't read the paper yet. Maybe they take that into account.

  5. Oversimplified, abstract, and useless by iiii · · Score: 5, Insightful
    Idealizing the problem, the researcher defines open-source programs as software in which the bugs are easy to find and closed-source programs as software where the bugs are harder to find. By calculating the average time before a program will fail in each case, he asserts that in the abstract case, both types of programs have the same security.

    I am not sure how much value this has. There are a lot of other considerations.

    With open source you have the source, so you can do something about bugs, you can fix them. And you can also look for potential issues in the code. You are in control of your own security. And a potential attacker has no idea what you've done with your particular implementation.

    With closed source you are completely dependent on the vendor to provide fixes. First you have to prove to them that something is wrong, then, if you are lucky, after some period of time, the will provide a udpate which may or may not fix your particular problem. They may not be as motivated as you would be to fix the problem.

    I'll take the Open Source choice any time. That way the people who care about security are the ones in control of security, an arrangement that is likely to work better than any other.

    But at least "he acknowledged that real-world considerations could easily skew his conclusions. "

    --
    Light cup, beer drink, thin so chain, neck turtle fat, man I won't say it again
  6. Re:Might be controversial by demaria · · Score: 4, Insightful

    Patches are a big deal, especially in production environments. You can't just willy nilly upgrade the kernel on a high load and important server. Bigger departments/companies have a change management system in place so that everyone know when any piece of software is upgraded, when it will happen, who is to blame, and why it occured. Patches can cause unexpected problems (like that linux one that corrupted the file system a few months back). This process may take days or weeks to complete.

  7. bugtraq reference by MartinG · · Score: 5, Insightful

    open source software isn't as bug free as we would all like to think.

    All this shows is that open source software has had more bugs discovered and fixed than we would have liked there to have been in the first place. It has no relation at all to the number of remaining undiscovered bugs, and therefore no relation to the security of the software in question.

    It's simple:

    Assumptions:
    1) When written, open source and closed source software have on average the same number of security bugs.

    Observasions:
    1) The number of security bigs in a piece of software only decreases when they are fixed.
    2) A security bug is typically fixed after, and as a result of it being discovered. (they can be fixed by accident, but i will neglect this as it's irrelivent anyway)
    3) Closed source software and open source software can both have bugs discovered by trial and error style cracking.
    4) Open source software can have bugs discovered due the sheer numbers of people with access to the source.

    Conclusion:
    1) I conclude that open source sofware will tend to have any bugs discovered more quickly because there are more ways to discover them, and all ways available to closed source are also available to open source.

    Can anyone fault my reasoning? It seems to me that both start equal on average, but open source will tend to have the bugs removed more quickly.

    --
    -- MartinG To mail me: echo kewyjlcxyzvjfxbqwh | tr bcefhjklqvwxyz .@adgimnoprstu
    1. Re:bugtraq reference by Mr_Silver · · Score: 4, Insightful
      4) Open source software can have bugs discovered due the sheer numbers of people with access to the source.

      True, but just because they can doesn't mean that they do. One of the great myths about open source is that *anyone* can just dip in and discover a bug and how to fix it. That simply isn't true.

      I can find bugs in closed and open source bugs in exactly the same way, by using the product until something wrong or unexpected happens. But just because I have access to the source doesn't mean that I could actually fix the bug.

      If you look at projects such as Apache and Mozilla, they tend to have a number of people who know the code very very well and a few that given a couple of hours might be able to work something out and a very large number of people who, in the whole grand scale of things, are of no use at all in providing a fix to a bug.

      This contrasts to a large number of individuals in an organisation who know the code very well and work with it day in day out.

      Finally let us not forget that whenever people talk about security they often use Apache and IIS as their examples. Be aware that these are not really good examples. Not all OSS projects are of Apache's quality and not all closed projects are of IIS' quality.

      You've ended up picking one of the best in the OSS world vs one of the worst in the closed world. It would be a little like compairing Ford's best car with Vauxhalls worst. Just because the Ford won all the time, does it mean that all Ford's are always better than all Vauxhalls?

      (I think Vauxhall is Opal in the US)

      --
      Avantslash - View Slashdot cleanly on your mobile phone.
  8. Re:Of course not... by great+throwdini · · Score: 5, Insightful

    Open source bugs can be fixed by anyone, but closed source bugs need to be fixed by vendors [...]

    Correction: open source bugs can be fixed by anyone with requisite knowledge, talent, and time. This would include things such as familiarity with the particular software package, affected platforms, and programming language and the energy and ability to ferret out the bug(s) and apply an appropriate fix. Then one has to factor in that package maintainers may or may not readily allow outside submission (e.g., bigotry, internal/peer review, etc.) of fixes, which may slow, hamper, or block the transmission of fixes. Add into this issues of trust, where a "fix" is offered by someone who lacks proper credentials (official or "street") to someone who has no clue how to evaluate the original issue or the proposed remedy.

    Granted, given the nature of open source software, the population of people who may repair a bug may be larger than that for closed applications, but that doesn't force into being an army of people with the inclination or skills to do so, or an effective and trustworthy means to distribute said fixes.

    I favor the potential for open source to improve response time to bugs, but I don't think one can claim "anyone" can address issues in an appropriate manner. There's no reason a skillful and organized firm couldn't address security concerns for a closed application it offers with any less celerity than maintainers of an open application.

  9. A more practical view by Trailer+Trash · · Score: 5, Insightful

    I have been running an ISP now for two and a half years, using Linux and FreeBSD exclusively. In that time, the following items have cropped up that I had to fix:

    1. Bind hole (root exploit at the time, now it's chroot'd and running as named.named)
    2. ftpd (root exploit, I turned ftpd off)
    3. telnetd (root exploit, turned it off, too)
    4. openssh (root exploit, simply recompile of new version)
    5. current Apache bug, which even if it's an exploit is far from root or anything else useful

    That comes down to a problem to be fixed every 6 months or so. This is real world. It doesn't matter a rat's ass to me what all shows up on Bugtraq, what matters is if someone is going to be able to hack my boxes. Most of the "bugs" aren't going to leave me open to remote exploit.

    Given that, it's ludicrous to say that my setup is no more secure than a Windows/IIS setup. IIS updates come out weekly, sometimes requiring reboots. I literally don't have the time that it would take to run Windows here.

    And IIS is probably the most-hacked piece of Windows. Want to compare it to Apache? Apache runs as nobody.nobody on most systems, or perhaps www.www. How about IIS? Hack Apache and you're an unprivileged user who'll have to rehack the box from the inside. Hack IIS and you're the Administrator. Even if Apache was as exploitable as IIS, it still wouldn't be as big a deal.

    Michael

    --
    Do you have ESP?
  10. It's Exactly like the Movie Spider-Man by Uggy · · Score: 5, Insightful

    Look... why is it that highly paid movie editors who poured over Spider-Man for many months with millions of dollars, couldn't find what the movie viewing public did in the opening weekend? According to movie-mistakes.com:

    Fans have so far spotted 77 continuity errors, the most flaws identified in an opening weekend, according to Web site movie-mistakes.com.

    Jon Sandys, who runs the site, said the number of mistakes could be a symptom of the movie's popularity.

    "It's obviously possible that it's got a higher than average number of errors, but huge numbers of people are going to see it and that makes for lots of pairs of eyes checking every inch of the screen," he told the Independent newspaper today.

    That sound remarkably familiar to Eric Raymond's Cathedral and the Bazaar? When Spider-Man was checked for bugs by the highly paid editor (programming team) and none were found, did they not exist. Is the movie inherently more flawed when the bugs were found and reported by the viewing public (open source programmers)?


    --
    Toddlers are the stormtroopers of the Lord of Entropy.
  11. Re:Might be controversial by pubjames · · Score: 4, Insightful

    A good admin who is a pro will work hard to secure his servers and patch and look after them - a bad admin is a bad admin regardless of the OS

    Many years ago, anyone who wanted to drive a car also had to be a mechanic. Things needed constantly tweaking, they would break down often and were difficult to start and keep running. These days, if someone had a car that kept breaking down, you wouldn't say to them "well, that's your fault. You're obviously not a good mechanic", you'd say "go out and buy yourself a better car, mate".

    Don't blame the administrators for the primitive state of current computer technology.

  12. Re:Answer- Mandrake is more secure than Windows... by markmoss · · Score: 4, Interesting

    One fundamental difference is that it's perfectly reasonable for a Linux distro to lock down everything by default, so that you've got to make some changes before it's usable for much of anything. (You could play solitaire if the distro included a program...) If you bought Linux, you should know or learn a bit about administering.

    Windows, OTOH, starts with the assumption that a complete idiot will be installing it. If networking is crippled by default, it will probably remain crippled until the user returns the computer because it "won't do X". And it makes the almost-reasonable assumption that with an idiot setting it up and using it, the box won't contain anything worth a good cracker's time. And these assumptions are almost OK; the problem is that (1) when the box is used for something serious, it's hard for even a professional administrator to keep up with all the changes needed to make a system secure, (2) they've made the home system default so wide open that serious crackers can take over hundreds of them at a time and use them in assaults on important targets, and (3) MS is so sloppy that everything is a lot more exposed than they intended...