When you read about the security problems of some open source applications and operating systems, some of you have nodded approvingly, and muttered words that sound a lot like "I told you so." Let's face it, all the smugness about the superiority of open source code has been pretty hard to take.
Of course, the open source people claim that such charges simply aren't true. They say open source products are better because more people work on them and then distribute the patches--meaning that security holes get fixed right away. Microsoft, as the leading vendor of proprietary software, claims the same thing.
The fact is, both sides have their share of problems--but neither side has the edge when it comes to fixing security holes. You're just as likely to encounter a security problem with open source code as you are with Microsoft Windows, and the fix is just as likely to appear quickly and be done properly.
Normally, this is the point where Microsoft gets trashed for its seemingly endless list of security patches for Windows. That's not going to happen here. Yes, Microsoft does have a long list of security issues for which it has issued patches. But the fact that those patches exist means somebody in Microsoft is making sure those fixes are made.
According to Steve Lipner, Microsoft's Director of Security Assurance, the company's Security Response Team operates seven days a week and has been known to issue patches toWindows security within hours of finding out about a problem. This sounds pretty responsive to me, certainly as responsive as the open-source solution to fixes--hoping someone steps up to the plate, creates a fix, and makes it available.
The problems with security are not greater or fewer with Microsoft's code versus open source. They’re just different. Want another opinion? In the FBI's ongoing list of the top 20 security problems, the number of Windows and open-source problems are about equal. The bottom line is that you should choose your OS or Web server software by how well it meets your needs--because these days, security really isn't the differentiating factor.
Which do you trust most when it comes to open-source security: open source, proprietary, or both equally? Tell me what you think in our TalkBack forum below.
Wayne Rash runs a product testing lab near Washington, DC. He's been involved with secure networking for 20 years and is the author of four books on networking topics.