Is Open source software development more secure?

[Juridian]

I would like to know your opinions on whether open source software development leads to better/worse/equivalent security for software projects than closed source software projects and why do you believe it?

** Disclaimer - this is not to turn into a flame war. I want opinions and I want it backed up by some kind of fact if possible. This thread is meant to make you think and I will be putting up counter arguments for all sides if possible.**

[Darksnake]

The way I see it, open source allows everyone to look at the code and find the problems in it rather easily. They can then exploit it or explain how to fix it. Closed source on the other hand requires that a person pokes around trying to break it, until they eventually find a bug. Then its upto the developers to fix it, nobody else has any say in that matter.

<brain fart> i'll finish this when I'm able to word it right </brain fart>

[chsh]

Originally posted here by Darksnake
The way I see it, open source allows everyone to look at the code and find the problems in it rather easily. They can then exploit it or explain how to fix it. Closed source on the other hand requires that a person pokes around trying to break it, until they eventually find a bug. Then its upto the developers to fix it, nobody else has any say in that matter.

The critical thing here is that in fact, only developers ever do look at the code. In both a closed source and open sourced environment your code reviews will be done by developers only. You have two considerations to take into account in comparing the two: Number of experienced eyes sifting through the code before committing it to the source tree, and accessibility of the code to those who would do your project harm (or exploit vulnerabilities, etc).

IMHO, the benefits of open sourced programming are canceled out by the fact that in addition to the developers of a project, crackers/hackers/etc also have access to the source code. In both situations it expedites bug finding and patching, and vulnerability finding and exploitation for both sides of the fence.
A closed source environment may offer more bugs, and yet it will take an equally determined attacker longer to find them due to the closed nature of the code. The attacker in the instance of closed source software is relegated to trial and error, whereas in the instance of open source software, a skilled cracker/hacker can sift through the code itself, and can get a picture of how it works, then from there much more quickly discover vulnerabilities.

It's a very tough call to have to call one or the other. To an end user, I imagine open sourced software would seem to be much more adaptive and quick in responding to vulnerabilities with patches, however I do think people should stop comparing all of OSS to just Microsoft. Microsoft has a bad track record, yes. What about Novell with Netware? Or Apple with MacOS? Adobe and their line of products? Many closed source companies are indeed capable of developing lines of secure software just as well as open sourced ones.

As I said, tough choice. For me, it would depend on the nature of the project, and when security is the overriding question at the heart of the matter, I do not believe they are functionally different. Theoretically, and given time, sure, open source software has the edge in the sheer number of people reviewing the code. Functionally however, I would venture to say that the rate of bug exposing and vulnerability exploitation resulting from both development types is roughly even.

[Juridian]

I believe, like Operating Systems, they both suck equally but for different reasons.

Closed source development projects, while they do not get the number of eyes on the source code doing auditing from a white box perspective (auditing/testing with source), get great numbers of people doing testing and auditing from a black box perspective (without source). It is common for companies generating this type of software to have code reviews by the developers, testing and auditing from black and white box perspectives by a Quality Assurance team, possible testing and auditing by outside contractors, and a good possibility of the source being run through an assortment of tools for regression testing, code analysis (complexity, security, etc), and so on.

It will also most likely be beta tested for some time by any number of users and finally released to the public which will also use the product. There will be a good number of people who will audit the programs security from a black box perspective to see if it suits their needs, and another good portion that will look for holes to exploit maliciously or to make a name for themselves. Holes found may get reported, may get ignored, or might be held back for malicious purposes as long as possible.

It would be nice if when doing these audits the source code was available so that you may hit it from a white box perspective and piece together what is going on. Maybe even fix the problem or report it to the vendor. It definitely beats watching crash messages to see if your buffer overflow idea worked or not. Hell, you could even run a source analysis tool against it and have a chance of picking it up right away (though they don't always catch the problem).


Open source on the other hand has the possibility for thousands if not millions of people to audit the source code. The biggest problem however, is that you have to hope that people did their due dilligence in planning the security, testing, auditing, etc of your applications before pushing them out. While you have to hope the same thing happened on the closed source team, no one's job is on the line for the open source team to do it. This has been the cause of problems in the past when one team member expects another to do it and vice versa...and it doesn't get done.

While you may expect companies such as Red Hat to spend a little cash or time to audit the applications they include with their distributions, that doesn't always happen (or rarely if ever) and has nailed them in the past as well. Finally as chsh stated, you may have quantity (stressing may) but that doesn't guarantee quality of the reviewer. Generally the source will be reviewed by someone who has something to gain from it.

It will be done by malicious people who are looking for holes to exploit, by individuals at companies who are looking to see if it fits their needs, by people looking to make a name for themselves, or by people who get paid for it. Rarely will most users do an in depth audit of the architecture, language quirks (dangerous functions, poorly implemented language/platform security measures), algorithms, testing of component interaction, etc. Relatively few users of any system have the requisite skills to even attempt it.

Some issues surface relatively quickly however and a patch for the problem is posted in a short amount of time. Not all open source projects have these issues, but the problem does exist.

My reading, research and experience is pointing me to believe what chsh said. The rate of bug exposing and vulnerability exploitation resulting from both dev types is roughly even.

[Gump]

I think the real issue of security lies in what is being protected. For example the majority of boxes attacked on the internet are web servers, web servers on the internet are mostly Apache on Linux. For that reason most web servers that are attacked are Linux boxes. On the other hand user boxes are overwhelmingly windows. And for that reason most of your viruses and worms go after these. As has been stated on this site before nothing is secure, those who chose to go after something will go after something they are familiar with, be it web servers, Databases, E-mail clients Etc... The more market penetration a product has the "Less secure" it will be because one exploit or vulnerability will proliferate so much more. And there is also the problem of trying to get larger numbers to update/patch so it will remain so for longer.

Just my thoughts

[Juridian]

A valid point. However, what I'm trying to do here is promote discussion on whether one style of project leads to more secure development being done than the other, and why do people believe it to be that way?

As chsh has stated before....

Linux != all opensource development && Windows != all closed source development

[qod]

with closed source you need one source to provide you with the fix, while in open source any one could even your self.

anyways you migh want to read "The cathedral and the bazaar" paper to know the goods and bads of each.

[VicC]

I thought that this was a really interesting look at some of the common myths that surround Open Source Development. Might be worth a look.

http://www.onlamp.com/pub/a/onlamp/2.../11/myths.html

[Maestr0]

However, what I'm trying to do here is promote discussion on whether one style of project leads to more secure development being done than the other, and why do people believe it to be that way?

I think this largely depends on the shop and the product concerned, as this directly affects how the developement team considers the importance of having secure code, regardless of whether its open source or not.


-Maestr0

[Juridian]

For 'the cathedral and the bazaar' information you can go to - http://www.catb.org/~esr/writings/cathedral-bazaar/