Digg this story   Add to del.icio.us  
Open Source Versus Closed Source Security
Jason Miller, 2004-09-30

In the age old battle between open source and closed source operating systems and applications, can either of them really be considered more secure than the other?

In the age old battle between open source and closed source operating systems and applications, can either of them really be considered more secure than the other?

In my last article, The Panacea of Information Security, I talked about security's ultimate relationship with knowledge. After all, at its most basic level, security is about knowledge and understanding. During this discussion, I talked about how open source software can make security easier. What I want to clarify in this article are my thoughts on the security of open source systems versus closed source systems. Which one is more secure?

Just to be clear, we're not talking about cryptography here. Discussing cryptography that is based on an open or closed *algorithm* is a different topic entirely, and not the focus of this article. Besides, I'm pretty sure that the book has been closed on that one.

Closed Source and Open Source

When you use a closed source system, in many cases you're also using a closed system (to some degree or another). Understanding how something works (which is important when securing a system), or the processes through which it was made, can oftentimes be difficult or impossible, as the only readily available insight into this information in the documentation provided by the vendor. This, however, has the interesting side effect of making attacks against such a system more difficult. An attacker typically needs to understand a system before he can find and exploit a vulnerability in it. Security by obscurity you say? Perhaps. It really depends on whether or not the system or project *depends* on the closed source nature of the source code for security.

Open source systems, on the other hand, by their very nature, are open to scrutiny. Often, this scrutiny can apply not only to the project's source code, but also to the project's design processes. Nothing is hidden from view, and nothing must be taken as gospel from the documentation. Perhaps this is somewhat of an oversimplification, but it ultimately does represent the core philosophy of open source. This, conversely, can make an attackers job easier. However, does this really make an open source project less secure?

Although real-world examples might seem to lean one way or another, ultimately, making judgments about a projects security based on the openness of its source code is a shallow conclusion, at best. It could be said that security, although affected by the openness of a projects source code, is not necessarily directly related to it.

So, Which One Is More Secure Already?

Although you can take an open source project, compare it against a closed source project, and say that one is more secure than the other based on some number of observations or measurements, this determination will probably be based on factors other than the nature of the project's open or closed source code. Secure design, source code auditing, quality developers, design process, and other factors, all play into the security of a project, and none of these are directly related to a project being open or closed source.

I must admit, however, that I have been shocked at the existence of certain types of vulnerabilities in some closed source projects. Let's take the Microsoft Windows LSASS Buffer Overrun Vulnerability, for example. We're talking about a basic stack-based overflow in a privileged system service that really has no good excuse for being there (vsnprintf anyone?). And although I certainly wouldn't say that this means open source software is quantitatively "more secure" than closed source software, I would say that it makes me doubt the source code auditing principles and otherwise the general security practices of certain closed source operating system vendors. However, the issue here isn't specifically related to the operating system being open or closed source, but to the processes with
which the vendor approaches security.

On the other hand, I've seen some vulnerabilities in open source software that are so obscure (some of the Sendmail prescan() vulnerabilities come to mind), that you wonder if it would be feasible to discover a similar issue in a closed source project at all. Does this mean that closed source projects are immune to exploitation through these types of vulnerabilities? Absolutely not. But from a more pragmatic standpoint, it does seem to severely hamper an attackers ability to find them.

Although this might seem to imply that open source projects are going to have less vulnerabilities than closed source projects, that's not really the case either; the number of vulnerabilities present in a given system
can't be simply associated with the openness of its source code. Ultimately, it's about the way the project and its developers handle and integrate security.

There are a few more issues and points that I'd like to cover, but I really don't have the space to do so. And in the end, they all bring us to the same point: What I'm trying to say here is that neither closed source nor open source is inherently more or less secure than the other; making a blanket statement such as that would be foolish. The best conclusion that we can make on this subject is that the two methodologies are not "better or worse", but instead, different from one another; I don't believe that you can answer that question any better.

There Is No Right Answer

Personally, I'm a fan of open source software, and I'm pretty comfortable with the benefits and risks associated with using it. As a security professional, you need to be aware of risk, and the specific threats that are related to your infrastructure. For open source and closed source systems, some of these risks are different, but as long as you're aware of them, you can manage them. And we all know that manging risk is a very important part of security.

Ultimately, when it comes down to it, security is about more than just being closed source or open source, its about a process. Which brings me to something that I really like about the open source concept - I can see how well tuned that process is, and I don't have to take someone else's word for it. And in the end, it's always easy to put trust into your own observations, and not someone else's.

Jason Miller manages the Focus IDS area for SecurityFocus.
    Digg this story   Add to del.icio.us  
Comments Mode:
One Definite Benefit 2004-10-04
SFN (1 replies)
One Definite Benefit - What??? 2004-10-04
Anon (1 replies)
One Definite Benefit - What??? 2004-10-05
Anonymous (2 replies)
One Definite Benefit - What??? 2004-10-06
One Definite Benefit - What??? 2004-10-06
Open Source Versus Closed Source Security 2004-10-05
Paul Kosinski (1 replies)
Open Source Versus Closed Source Security 2004-10-05
Anonymous (1 replies)


Privacy Statement
Copyright 2010, SecurityFocus