, 2004-09-30
In the age old battle between open source and closed source operating systems and applications, can either of them really be considered more secure than the other?
Expand all |
Post comment
One Definite Benefit
2004-10-04
SFN (1 replies)
SFN (1 replies)
One Definite Benefit - What???
2004-10-04
Anon (1 replies)
Anon (1 replies)
Open Source Versus Closed Source Security
2004-10-05
Paul Kosinski (1 replies)
Paul Kosinski (1 replies)
I think in order to fairly compare open source software to commercial counterparts its important to recognize how heavily audited projects are.
For instance, just because a package is open source does not necessarilly mean security. The design scrutiny of Apache vs the design scrutiny in a package like AOL server or bob's php image gallery is a world apart.
Perhaps a better way to look at open source security is in terms of market share versus vulnerabilities. Take a time slice such as the last 24 months and compare the market share of Apache with the market share of IIS. Apache has approximately 2x the market share, but sports about 1/5th of the vulnerabilities. Clearly this is a quality issue that Microsoft needs to address in one way or the other. Compare vulnerabilities in major packages like postfix, djbdns and apache to IIS, exchange and MS DNS in the CVE database over time to prove a security point. Core open source packages with reasonable amounts of community support CRUSH their commercial counterparts in terms of security despite market share.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/269/28639#28639