August 27, 2007

Opening your source doesn't make your software more secure

In an article comparing Windows to Red Hat, Microsoft recently used the following quote from former chair of the Apache security team Ben Laurie:

Although it’s still often used as an argument, it seems quite clear to me that the “many eyes” argument, when applied to security, is not true.
Ben responded by clarifying what he meant in this post and while it appears that the quote has indeed been taken out of context, the overall idea that open source automatically produces software that's more secure is a fallacy that's been empirically demonstrated by now.

Software becomes secure for a bunch of reasons:

  • It was designed from the ground up with security in mind.
  • It was implemented from the ground up with security in mind.
  • It was implemented by good developers.
  • These developers are security experts.
  • These developers reviewed each other's code before checking it in.
  • A lot of money was spent on testing and QA.
  • The software was extensively beta-tested.
Actually, I think that the main reason why a piece of software becomes secure is:
  • The software has been running for years and has received (and keeps receiving) numerous fixes and patches.
I'm not even putting "The software is open source" in this list, because to be honest, I'm not convinced that the open source factor wins against obscurity in terms of security. When a vulnerability is open source and that its subsequent fix is open sourced as well, you make it very easy for average hackers to take advantage of it right away. And I think the main problem is average hackers, not very good ones (who will access the source of the program anyway, whether it was open source or not).

I'm also a bit skeptical that code reviews catch that many fundamental programming (and security) mistakes. When a check-in exceeds even ten files, it's extremely hard to understand how the change will impact the rest of the huge code base that is already in place. It might be easy to spot obvious mistakes in languages like C or C++, where overrun buffers and other attacks can be identified within a few lines of code, but in other higher level languages, you really need to understand the big picture, and past a certain size, only automated size or excessive usage of this code will actually reveal these bugs.

The simple fact is that users that download open source software will probably never look at the source. Even I, as a developer, just don't bother any more. And if I can choose between downloading software in source or binary form, I will always pick the latter and trust that the company releasing it (or the Internet community) will have done the security audit for me.

The quote by Microsoft is certainly taken out of context to serve their purposes, but I think that a lot of security experts will agree with it.

Posted by cedric at August 27, 2007 10:07 AM

Comments

in fact it's a strange point, that can vary from a situation to another..

yes, open source is the most secure platform (i cannot imagine any other system that delevoping by thousands of people..). but that "open source secure" only encloses the best projects; like a famous distro, or a famous cms, or a music player, .. you guess.

but no, open source isn't secure as we think, when we talk about unknown, or less known projects.. because you control your code with less people, less development, .. any little bugs or secure problems can blow your head..

hmm yeap that's the point.

Posted by: Pinar Y. at August 27, 2007 11:21 AM

I agree with you. Open Source/Closed Source means nothing with regards to security. The way I see it contemporary security problems are because OS developers are trying to please the least common denominator in terms of a wider userbase -- with good intentions and valid business reasons. "Easier use" becomes a target for the "average hacker" as you say. We still see the mainframe as the most secure of all animals but I'm pretty sure you wouldn't call a mainframe session a "user friendly" experience. Patches nowadays seem to bandaid a hole instead of plug it up.

I use to work for a military contractor where one guy use to say:" The only secure computer is one that isn't connected". An older security guy came back with "or turned off". Insecurity is something I think we're going to have to live with open source or closed source.

Posted by: Frank Bolander at August 27, 2007 02:20 PM

I agree that Open source is not "more secure". I think it comes from a path of logic that has never been proven. Its assumed to be correct because it sounds right.

Joshua

Posted by: Joshua Foster at August 27, 2007 02:50 PM

You're all missing the point.

The whole point is _how fast_ you get a fix for a secutiry issue.
In the proprietary world, you can do nothing but waiting for the company to release a fix ASAP.
ASAP sometimes means weeks or months. You *cannot* afford such delays when security matters.

In the open source world, anyone can access sources, which means that fixes might and will usually come within a day because there are enough
skilled people around. Period.

Other arguments are irrelevant.

Posted by: A-C at August 27, 2007 02:58 PM

AC,

I think you're missing an important point as well. Yes, the fix comes faster, but what does it buy you if days after the vulnerability and fix have been disclosed, hundreds of web sites start going down because they did not (or could not) apply that fix while hackers acted on the vulnerability right away?

A lot of systems in production simply cannot be patched as soon as such fixes are made available, and this is why the approach of "security via obscurity" works as well: because it makes the vulnerability obscure to users and hackers alike.


Posted by: Cedric at August 27, 2007 03:06 PM

August 27th, 2007 - Cedric has agreed that "security via obscurity" has value. I'll remember this day :)

Posted by: Paul Tyma at August 27, 2007 04:03 PM

A-C,

i think we're talking about the same; when i talk about well-known & famous open source project's security, i meant how many coders around it. if there's at least 100 good hackers (or less or more, just an example) around your code, they can find and fix bugs easily and early.. but if you're not well-known, i cannot trust to your projects' security with 3 developers.. a hacker comes, looks through your code, finds and uses it.. if you don't have a well-covered community; who can hear it? who can help? so you simply die. that's the point i'm talking about.

and Cedric,

of course first step of security is the physical security of your machine :)

i agree with the guy who told the most secure is a turned-off computer. because you can monitor an unconnected computer with ray technologies as well.

and i thought about your last words: "we're going to have to live with open source or closed source". i don't agree with you, i think we have to live with both open source and closed souce. when i talk about "closed source", most people understands closed source x operating system :)

a hybrid secure system i can imagine: if you want to make your system secure; you have to use an open sourced operating system (because, let's talk about Linux, i can't imagine any other operating system that been fixed so quickly and with a good community.. that's the open source (and free software) effect..) and on this operating system; your applications have to be a) a good open source projects b) a good-coded but closed source project. i think that strategy works.

Posted by: Pinar Yanardag at August 27, 2007 04:31 PM

...what does it buy you if days after the vulnerability and fix have been disclosed, hundreds of web sites start going down because they did not (or could not) apply that fix while hackers acted on the vulnerability right away?


Ok, Cedric, let me get this straight: your claim is that closed source projects actually get a leg up in the security department because it's harder for hackers to find out about their vulnerabilities?

Maybe you should share your insight with Microsoft, who clearly are squandering tons of potential 'obscurity value':

http://www.microsoft.com/technet/security/bulletin/ms07-aug.mspx

Posted by: pcal at August 27, 2007 11:20 PM

Sure, secure software has to be written by good, dedicated professionals, and most open source software doesn't get nearly enough attention to be good. But for the winners of the popularity contest (Linux for example), it seems fair to say that part of the reason they get all that attention and years of updates and security fixes comes from being open source.

Or to put it another way, the "given enough eyes" thing only works for Linux and maybe a few other projects; it doesn't generalize.

Posted by: Brian Slesinsky at August 28, 2007 12:14 AM

Well said. Open source is not a guarantee for security. In fact non so well reviewed open source software may be more of a security risk because the security-by-obscurity veil is lifted from the start.

I have had serious hacking problems with Mambo in the past which forced me to switch to a dedicated hosting and even there I was threatened that my service would be switched off. On investigation, I realized the problem was because I didn't apply a recent security patch to Mambo. I later switched on to Joomla (Mambo derivative). However it left a bitter taste in my mouth about the myth of open source security.

Posted by: Angsuman Chakraborty at August 29, 2007 08:17 PM

Hey, Just went through your blog and it makes for some nice reading. That thread about Indian students was hilarious. I'm Indian so I can understand what that must have been like. I'm sure they did not intend to be rude. Only those Indians who study in good schools (like me haha) can speak good English. The funny thing is - I came across your blog while searching for ideas about Java projects for beginners. So maybe that's how they came across your blog and thought that you were offering suggestions. But I'm rambling here -nice work on the blog, keep it up!

Posted by: Preet at September 5, 2007 07:48 AM
Post a comment






Remember personal info?