Security's future belongs to open source

Security's future belongs to open source

Summary: It's really not a debate question, it's just the way it is. The world runs on Linux and open-source software.

SHARE:
67

The public was with me in my argument that Heartbleed didn't prove the open-source development model was insecure, but the judge rules against me. Eh, I'm not hurt. More than readers agree with me, almost all of technology agrees with me. 

is-openssl-secure-in-its-dominance
Open source is the way to security in today's world.

You see, while Heartbleed was open source's worse security hour, it was an exceptional case. Outside of Apple and Microsoft, everyone, and I mean pretty much everyone, has already decided that open source is how they'll develop and secure their software. Google, Facebook, Yahoo, Wikipedia, Twitter, Amazon, you know all of Alexa's top ten Websites in the world, rely on open-source software every day of the year.

They do it because Eric S. Raymond was right when he wrote in the essay that got open source started, "The Cathedral and the Bazaar," that "Given enough eyeballs, all bugs are shallow."

The problem with Heartbleed was that no one—no, not even the NSA—looked at the code. The failure wasn't with the open-source method, it was that no one bothered to apply it to OpenSSL.

The proof that open source, properly applied, is secure is available. Studies, such as the one recently done by Coverity, have found that open-source programs have fewer errors per thousand lines of code than its proprietary brothers. And, it's hard to ignore the Communications-Electronics Security Group (CESG), the group within the UK Government Communications Headquarters (GCHQ) that assesses operating systems and software for security issues, when they said that that while no end-user operating system is as secure as they'd like it to be, Ubuntu 12.04 is the most secure desktop.

On the other hand, the mere existence of Microsoft's monthly Patch Tuesday says everything most of us need to know about how "secure" proprietary software is. I also can't help noticing how every time Microsoft releases a new version of Internet Explorer (IE), they always claim it's the most secure ever. And, then, a new hole is found, and guess what, that same security hole is in every version of IE from IE 6 to IE 11. If IE really were being rewritten to make it secure why are the same holes showing up In Every Version??

My worthy adversary thinks that open-source projects don't have sufficient funding or management. Given Adobe, Apple, and Microsoft's security track-record has a month gone by in years without major security holes popping up for the major proprietary software companies? I don't see how traditional management has helped them any.

That's not to understate the Heartbleed problem. It was disaster. It happened because OpenSSL was underfunded. There simply weren't enough people on the job to do the job, and everyone just assumed that because the code was open source it was somehow magically immune to errors. That's pure foolishness and we paid the price for it by over half of the world's websites being vulnerable to Heartbleed. We won't make that mistake again.

Let's say that OpenSSL, like IE, is fatally flawed. I don't believe it, but say it is. So what? In the open-source world someone just forks the code and comes up with a better version. That's exactly what OpenBSD has done with their LibreSSL. With open-source software you're not locked into one company's "secure" solution. If someone doesn't deliver the security goods you want, someone else can, and will usually, come up with a better program.

Put it all together and the facts show that, when done right, open source is the best way not just to develop software but to create secure software. It's only in those corner cases, like OpenSSL with Heartbleed, where a program is both popular and under-funded, that there exists the real possibility of a major security problem.

Just like death and taxes we'll always have security problems. But, as the record already shows, on average open-source programming is the best way to prevent security troubles.

Related Stories:

Topics: Security, Linux, Open Source

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

67 comments
Log in or register to join the discussion
  • ZZzzz...

    Just remember that Saddam Hussein had no weapons of mass destruction nor did he have any dealings with Al Qaeda wrt 9/11 as President George W. Bush and his minions, including the Press and most in the U.S. believed. The majority is not always correct.

    +1 for the judge.
    Rabid Howler Monkey
    • And what exactly ......

      does that have to do with the price of tea in China?
      Economister
      • It's got nothing to do with the price of tea in China, however ...

        From the article:
        "The public was with me in my argument that Heartbleed didn't prove the open-source development model was insecure, but the judge rules against me."

        Steven won the popular opinion in the ZDNet great debate on this topic, but the judge ruled that he lost the debate. I agreed with the judge.

        See? You did read the article didn't you?
        Rabid Howler Monkey
        • Windows = Virus

          That's the reason why i moved from Windows to Linux over 7 years ago. That has been one of my best choices during my life. My wife and most of our children too are not using Windows nowadays.
          Frankie1965
          • You and others should be just fine with the GNU/Linux desktop

            After all, what money-grubbing, mass malware miscreant wants to spend a lot of time writing malware for an operating system with 1 to 2% market share? Especially since most distros do a good job of keeping packages (those inside the repositories) up to date and given that finding zero-day vulnerabilities followed by crafting exploits for a subset of these vulnerabilities is time-consuming. And if your not a Tibetan activist or similar, you most likely will not be targeted with malware (it's happened with OS X users).

            As for Linux servers and Android (yes, it's Linux), you'll need to be a bit more careful as there's plenty of malware out there for both platforms as well as many mobile device users running unsupported versions of Android. Better know what you are doing wrt to Linux server configuration, maintenance and monitoring.

            And Google Play? Watch out for malicious apps such as benign-looking apps that are really crypto-currency miners under the surface (pun intended) which dominate the CPU and drain the battery along with fake anti-virus software.

            http://arstechnica.com/security/2014/04/covert-bitcoin-miner-found-stashed-in-malicious-google-play-apps/

            http://www.computerworld.com/s/article/9248398/More_fake_antivirus_apps_pop_up_in_Google_Play_Windows_Phone_Store
            Rabid Howler Monkey
  • Here we go again, open source...

    Linux is still a small percentage compared to the number of Windows, Unix servers and Main frames running business critical software.

    Do you think just because it is open source that it is written better, well you know nothing. You give the impression that if it is not open source then it is bad.

    There are not many 'real' open source companies that make money and the majority of open source projects would never make it commercially.

    Additionally they are buggy and just try getting support when it is really needed.

    When are people going to wake up and smell the coffee?
    pjc158
    • You kind of missed that most of the mainframes ARE running Linux

      As are most of the servers.
      jessepollard
      • Mainframes, Open Source, Software Bugs

        Most mainframes don't run Linux. The largest share of mainframes are those sold by IBM. IBM mainframes, which can run Linux, usually run z/OS, z/VM, or z/VSE.

        As to Open Source development. I am an Open Source developer. Before I commit code it's usually reviewed and that which isn't is reviewed by Coverity, Jenkins, and by some folks on the project. Believe me, they do make a point to point out one's mistakes and make you you know it publicly.

        Having worked as a commercial programmer, bugs are not always fixed. At those shops the 80/20 rule usually applied. Bugs were fixed if it made financial sense.
        Cy.Schubert@...
        • Some facts

          While you are _technically_ correct in saying most mainframes don't run Linux, i think you're not as correct as you think you are. In the 2013 survey of IBM mainframe system owners, 36% run Linux on their mainframes, and 16% plan on transitioning into doing so in the next year. http://www.arcati.com/13part2.pdf
          daboochmeister
        • Mainframes

          There are few, if any, mainframes in use today. Everything todya is client-server. IBM is in the process of adopting Linux for their big iron server OS, most likely because that is what their customers are asking for...
          eisen6
    • RE: Linux is still a small percentage compared to

      Right! 85.6% is a pretty small number...

      ref:
      http://www.ovh.com/ca/en/blog/a1304.operating-system-os-servers-dedicated-ovh

      FYI
      Many closed source projects are based on FOSS. I.E. Bing

      Best,
      mack.
    • lmao

      Who the fuk uses Unix? Are you stuck in the last century there AT&T. Every major piece of infrastructure runs linux bud. And when you're looking for innovation you're looking at open-source. Linux has completely dominated almost every vertical except desktops and laptops. Go read something.
      Ahnomimush
    • Uhm . . . not very many Unix servers these days. Mostly Linux.

      Uhm . . . not very many Unix servers these days. Mostly Linux.
      optimoz
      • Not many Unix servers these days?

        OK, so I did go and read something...

        FreeBSD, OpenBSD, NetBSD, Apple OS X, DragonFly BSD, AIX, Solaris, Illumos, HP-UX, and yes, even iOS. All derivatives of Unix 1 to 4.

        https://en.wikipedia.org/wiki/File:Unix_history-simple.svg
        AdamElteto
  • One word: Heartbleed

    Yeah, I know you attempted to apologize by saying it was an exceptional case. The reality is it is not. Being open source does not make code more / less secure.
    ye
    • So what are some of the cases.

      Being as how Heartbleed wasn't a special, you imply there are many more cases. Care to name any?
      anothercanuck
      • My Linux systems regularly receive security patches.

        Every one of them is an example.
        ye
        • good

          Regular security patches are a good thing. No developer will right good code. Be glad if people find issues early and fix often. The more eyes the better.
          Ahnomimush
        • Heartbleed was enough

          The speed with which heartbleed became a real issue from being recognised as a threat is directly a characteristic of open source software and the ability of those interested directly observe how best to exploit it.

          That "The world runs on Linux and open-source software" may be true, but it doesn't mean that "Security's future belongs to open source"
          Henry 3 Dogg
      • Example

        http://www.zdnet.com/patches-ready-for-red-hat-ubuntu-and-others-affected-by-linux-kernel-flaw-7000029442/

        Gaping hole in Linux, allowed unrestricted system access as root, sat there for 5 years.
        honeymonster