Is open source more secure?

There are two types of government IT types – those that swear by open source and those that swear by Microsoft. The perception is that Microsoft products are rife with security holes. Just this week, Microsoft released a security update that addressed 21 issues – the most ever in a monthly security release – 19 of which address remote execution vulnerabilities.

Most critical is a bug that allows remote execution without any affirmative action by the user, News.com reported.

"These (vulnerabilities) take advantage of two listening services that run on the host and listen for traffic coming in through ports that are frequently utilized," Bitle said. "While a lot of these (other Microsoft) remote execution flaws require interaction (by the user), this one does not. A user doesn't have to click on a link or open an attachment."

Fast on the heels of this news is a report from Trend Micro that open source is hands-down more secure then Windows. In part, this has to do with the heterogeneous nature of Linux. It comes in a multitude of distributions, not a handful of version all based on exactly the same code base.

"Open source is more secure. Period," Raimund Genes, chief technical officer for anti-malware at Trend, said. "More people control the code base; they can react immediately to vulnerabilities; and open source doesn't have so much of a problem with legacy code because of the number of distributions."

Genes said open-source developers "openly talk about security," so patches are "immediate--as soon as something happens," whereas proprietary vendors with closed code have to rely purely on their own resources to push patches out.

Is open source inherently more secure than proprietary software, or can it only be said that Linux is more secure than Windows? Mark Cox, security response team lead for Linux seller Red Hat, doubts it.

"Whether it's open source or closed source doesn't really make a difference--the issue is whether the software has been designed with security in mind," Cox said. "Ten years ago, Apache was designed to address buffer overflows and has been successful. It's harder to write a worm for Linux because there haven't been that many critical vulnerabilities found, and even those are harder to exploit because of the diversity" of distributions.

With Vista, Microsoft is getting with the program by restricting administrative access. "Microsoft is on the right track. It's now promoting access control, which was introduced by Unix. No one thinks of running Unix in root," Genes said.