Open source security has upper hand
There has been a lot of debate among security practitioners about the impact of open source approaches to security.
Synaq MD, Yossi Hasson, says open source projects respond quicker to resolving any security holes discovered and protects against deliberate backdoors being placed in the software. “These benefits alone give open source software a major upper hand when considering the security of your software,” he adds.
“With closed source software, there is no way to know that there are no deliberate or unknown backdoors that exist in the software,” he explains.
According to Hasson, if acompany is serious about its software security needs, the only way to ensure software is secure is to have access to the source code and leverage the 'many eyeballs' theory. This allows many people to look at the integrity of the code and discover any security vulnerabilities openly, he says.
“The main difference between open source security and closed systems is the response times to resolve bugs and security holes, and the number of backdoors found in the software,” Hasson points out. He adds that traditionally, open source software vendors are far more responsive in fixing found software bugs and security holes than their closed source counterparts.
He gives an example of open source companies like Red Hat which have been compared to Microsoft in multiple tests. He says Red Hat always trumps Microsoft in the time it takes to resolve security holes.
The second major difference is that open source software ensures any possible backdoors are discovered and resolved while closed source software could have a backdoor in the software that remains undetected for years. Hasson cites examples of Borland software and Microsoft with Frontpage.
The effectiveness of software security is not a question of which model it was developed on, open source or proprietary, says Hasson.“All software has security problems, whether it's closed or open, but open source software ensures the risks are mitigated further,” he adds.
According to Hasson, history has shown open source projects tend to have fewer vulnerabilities and bugs found. One of the key issues is that open source exposes the source code to everyone, both the attackers and defenders, he notes. “It is usually free and often public domain so people usually disagree about the ultimate impact of this situation.”
“Organisations of all sizes are embracing open source software in many forms, from mobile devices powered by Android to large enterprise systems running Linux,” he points out.
Hasson says good open source rejects lead to better software being developed and are generally secure.