Trend Micro: open source is more secure

Trend Micro: open source is more secure

Summary: The antivirus vendor has waded into the debate over the merits of open and closed code, while Linux vendor Red Hat takes a cautious approach

SHARE:
TOPICS: Security
0

Antivirus vendor Trend Micro is claiming that open source software is inherently more secure than proprietary software such as Microsoft Windows.

Trend claimed that one reason open source software has fewer security issues is the variety of Linux distributions. Although they use the same kernel, if one distribution is compromised the same piece of malware may not work on a different distribution, the company said on Monday.

"Open source is more secure. Period," Raimund Genes, chief technical officer for anti-malware at Trend, told ZDNet UK. "More people control the codebase, they can react immediately to vulnerabilties, and open source doesn't have so much of a problem with legacy code because of the number of distributions."

Genes said open source developers "openly talk about security", so patches are "immediate — as soon as something happens", whereas proprietary vendors with closed code have to rely purely on their own resources to push patches out.

However, Genes claimed that Linux servers needed to be hardened to make them "really secure", and could not be used without altering the default security settings.

Mark Cox, security response team lead for open source vendor Red Hat, agreed that the Linux community shares security knowledge, but said it was wrong to say Linux distributions are not secure out-of-the-box.

"We always make sure we pass knowledge back upstream so everyone who uses the Linux kernel can benefit," Cox told ZDNet UK. "Red Hat out of the box comes with default SELinux, a firewall... security is on by default, although it is possible to further harden it," he said.

Cox was reluctant to compare the relative security merits of open source and proprietary software, but said that Linux was affected by fewer critical vulnerabilities.

"Whether it's open source or closed source doesn't really make a difference — the issue is whether the software has been designed with security in mind," said Cox. "Ten years ago, Apache was designed to address buffer overflows, and has been successful. It's harder to write a worm for Linux because there haven't been that many critical vulnerabilities found, and even those are harder to exploit because of the diversity [of distributions]," Cox added.

However, Cox also warned that past performance was no guarantee of future results, unless the open source community develops technologies to stop future Linux vulnerabilities.

Cox said it is also important to develop metrics to measure security for both open and closed source software, including the security response times, transparency in disclosing vulnerabilities, and how fast patches are deployed.

Genes pointed out that Microsoft is beginning to address security issues in developing Vista, in part by restricting administrative access.

"Microsoft is on the right track. It's now promoting access control, which was introduced by Unix. No one thinks of running Unix in root," said Genes.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion