Stacking up Open Clouds


Open source software: The question of security

Open source software: The question of security

Summary: The transparent nature of open source software does not make it any more vulnerable than closed systems, experts argue.

SHARE:

The logic is understandable - how can a software with source code that can easily be viewed, accessed and changed have even a modicum of security?

opensource-security-question
Open source software is safer than many believe.

But with organizations around the globe deploying open source solutions in even some of the most mission-critical and security-sensitive environments, there is clearly something unaccounted for by that logic. According to a November 28 2013 Financial News article, some of the world's largest banks and exchanges, including Deutsche Bank and the New York Stock Exchange, have been active in open source projects and are operating their infrastructure on Linux, Apache and similar systems.

As with any technology, security remains an important point with open source software, but not to the extent to which many people believe.

Open source software - safer than you think

According to Dr. Ian Levy, technical director at the UK's Communications-Electronics Security Group (CESG), too many people get caught up in the fact that the source code is open for all to see - and forget that this does not make it any more vulnerable than closed software.

"If I look at how people break software, they don't use the source code," he explained in an April 23, 2013, ZDNet article.

"If you look at all the bugs in closed source products, the people that find the bugs don't have the source, they have IDA Pro, it's out there and it's going to work on open and closed source binaries."

In fact, it could be one of open source software's greatest benefits - its transparency - that makes it a more appealing option than proprietary offerings. There is a saying known as "Linus' law" that says "given enough eyes, all bugs are shallow.” As the source code is available for all to access and modify, there is a large global community of developers who are constantly keeping tabs on the software to find ways of improving it. This includes scoping out bugs and other vulnerabilities in the code, which can then be fixed, enabling the software to be continuously improved. This level of universal collaboration and monitoring is often not available with closed source software.

This level of universal collaboration and monitoring is often not available with closed source software.

That said, there is no software system in the world that is completely risk-free and doesn't come without its security considerations. So what are some ways to make your open source infrastructure as secure as it can be?

Safety best practices in the open source environment

Before implementing any open source software, it is imperative to perform a thorough evaluation to assess any flaws or risks that may potentially arise. This will help you invest in the most stable solution for your needs and reduce the risk of vulnerabilities cropping up down the line. Your development team should be deeply involved in this process, looking at the history of the open source project to identify any past issues and assess the likelihood of further problems in the future.

It is also important to enact an enterprise-wide IT security policy, perhaps even a separate one dedicated to open source. Such policies should outline best practices in maintaining the integrity of the open source infrastructure and be flexible enough to adapt and change according to circumstances.

Open source software is certainly much more secure than its detractors would like to believe, and further breaking this myth could be the key to enabling its continuous development and growth.

———————————————————————————————————————————————————

To learn more about the business benefits of Red Hat Enterprise Linux, download this complimentary whitepaper.

Topics: Stacking up Open Clouds, Cloud, Open Source, Security

About

Sachin Shridhar is the senior director, consulting services for Red Hat Asia Pacific. He's responsible for reactive and proactive support delivery to Red Hat’s clients and partners across all product lines, including Red Hat Enterprise Linux, Red Hat JBoss Enterprise Middleware, Red Hat Storage and Red Hat's cloud solutions.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Wrong

    "The transparent nature of open source software does not make it any more vulnerable than closed systems"
    Of course it does. Closed source softwares' vulnerabilities can only be discovered with black box methods, while open source softwares' vulnerabilities can be be discovered by using both black box and white box method. So it's just fair to say that vulnerabilities are more easily discovered and more easily exploited in open source software then in its closed source counterpart.

    Also, it's easier to plant vulnerabilities in a software that uses an open source model and which everyone can contribute to, in most cases almost or completely anonymously, than in a closed source counterpart, where only a select few get the chance to contribute to the source code, and where most of those are well-identified persons by many ways (think of them having to supply names, address, social security number; having to show up at the workplace in person, etc). For the same reason it's far more easy to compile and produce an altered, backdoored, trojaned version of an open source software, than it is if the source of the software is closed and only available to a few.

    That said there are no two softwares that are the same, and how much secure or vulnerable a system is not only determinted by how easily an attacker can identify or plant vulerabilities in(to) it, but depends on a lot of others factors, too. Like the quality of the original code or the extent, intensity and expertise of/in the code review.

    So, an open source software can be as much or even more secure than a closed source one - given, that most of the initial factors are in favor of the former (ie. it's written by better developers, has better code review, is used and thus tested by more people, etc). But if all circumstances are the same, open source is definitely at a disadvantage to closed source software, also in regard of security and vulnerabilities.
    ff2
    • Go on, try to contribute anonymous code to Linux, then

      What tosh. Do you even know how contributions to open source projects works? The whole point is the level of scrutiny that can be applied to contributions. Sure, stuff like HeartBleed can get through by accident, but the very fact that that occurred has been a kick in the pants for greater scrutiny of modules no matter how reputable the contributor.

      The fact that a piece of software is open to thorough evaluation means it isn't possible to craft undetectable back doors. You absolutely cannot say the same thing about proprietary solutions - back doors can be coded in that go undetected for decades (if they're ever detected at all). Sure, the scope of work required for a single business to comprehensively check every piece of underlying code in an OS is far too large to be feasible, but that's why the development effort is a worldwide community undertaking.

      As for injecting malicious code into proprietary software, that's why there's no such thing as hacked versions of Windows, Office, games and every other application you can think of, containing viruses and other attacks. Oh right, sorry, I meant the Internet is *littered* with such examples.

      But, you know, feel free to shoot your mouth off, Mr Faceless Keyboard Warrior - I'm sure your opinion holds more weight than the highly educated and experienced experts quoted in the article, because the magical pixies have told you you clearly know more than anyone else about any topic you choose to weigh in on. Thank #@&* for people like you, right?
      TrevorX
    • 50%

      your argument only holds about 50% weight.

      Yes, hackers could look at the source code, but as pointed out in the article, they generally don't, they use tools to try and break the running systems. Therefore it is theoretically easier to hack open source software, but in practice the hackers generally rely on the same tools for both open and closed source.

      Seconds "slipping in changes" is, again, theoretically possible, but highly unlikely. The code, especially in more established projects, goes through a review process and only code from known contributors is taken - in fact the Linux Kernel now needs 2 factor authentication in order for code to be submitted.

      On the other hand, as Heartbleed demonstrated, it doesn't matter if code is open source and can be peer checked, if nobody checks it! And that is the problem with secure code, those that understand the math don't generally understand programming and those that can program don't generally understand the math, that means that there are only a handful of people in the world who would be able to sanity check complex encryption code.
      wright_is