One of the more entertaining aspects of being involved with Internet and information security is predicting how long it will take a hacker to break or exploit a system or program assumed to be secure. I've said it before, and I'll say it again: With very few exceptions, all software has bugs.
Whether these bugs present a risk for exploitation depends on the software and if any intruders are actively trying to find holes to exploit. I use the term intruder rather than hacker because worms and viruses are more likely to identify and exploit vulnerable systems than people these days.
(That's not to say that hackers don't break into systems. Hacker incidents like what happened to T-Mobile are more common than what the media would lead you to believe.)
What companies and users unfamiliar with the technical details of computing don't realize is that commercial software bases its claims of "security" more on guesswork and hope than reality. Software marketing relies heavily on so-called "independent" testing and certification, but the software companies are the ones that pay for that testing and certification.
Then again, what software company is going to advertise its products as "somewhat secure" or "very possibly secure"? But that's actually closer to the truth.
Some people, myself included, estimate that the cost of eliminating half of the bugs in commercial software far exceeds the revenue generated over the lifetime of the product. Of course, companies could recoup some of this cost by drastically increasing prices. But commercial software companies are already competing with open source software, and raising prices isn't going to bring them any new customers.
One of the main reasons I'm such a harsh critic of commercial software companies is because they didn't bother to address the security and reliability concerns of their products until open source software became a serious enough threat to their business.
I've used both commercial and open source software for more than 25 years, and I honestly believe that commercial software has fallen far behind open source software when it comes to security and reliability, not to mention the fact that open source software costs much less to support.
Despite many commercial software companies' claims about the security of their products, open source software is very difficult to compete with when it comes to security. Because of its worldwide use in research, open source software is always on the cutting edge of security. I trust open source software because I know a lot of other people have seen the same code I'm seeing.
It's important to remember that security is not simple, nor is it absolute. Developing secure software is an expensive, difficult, detailed, and time-consuming process.
Competing effectively with open source software requires commercial software companies to commit to producing a secure product that's better than what users can get for free. Only time will tell whether commercial software companies can focus on this task.
But until the hype lives up to reality, I'll continue to use open source alternatives to commercial software. The software is genuinely more secure, which I know because I've seen the code myself.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.