Trend said one reason open-source software has fewer security issues is the variety of Linux distributions. Although they use the same kernel, if one distribution is compromised, the same piece of malicious software may not work on a different distribution, the company said Monday.
"Open source is more secure. Period," Raimund Genes, chief technical officer for anti-malware at Trend, said. "More people control the code base; they can react immediately to vulnerabilities; and open source doesn't have so much of a problem with legacy code because of the number of distributions."
Genes said open-source developers "openly talk about security," so patches are "immediate--as soon as something happens," whereas proprietary vendors with closed code have to rely purely on their own resources to push patches out.
However, Genes said Linux servers need to be hardened to make them "really secure," and that they cannot be used safely without altering the default security settings.
Mark Cox, security response team lead for Linux seller Red Hat, agreed that the Linux community shares security knowledge, but he said it was wrong to say Linux distributions are not secure out of the box.
"We always make sure we pass knowledge back upstream so everyone who uses the Linux kernel can benefit," Cox said. "Red Hat out of the box comes with default SELinux, a firewall...security is on by default, although it is possible to further harden it."
Cox was reluctant to compare the relative security merits of open-source and proprietary software but said Linux was affected by less critical vulnerabilities.
"Whether it's open source or closed source doesn't really make a difference--the issue is whether the software has been designed with security in mind," Cox said. "Ten years ago, Apache was designed to address buffer overflows and has been successful. It's harder to write a worm for Linux because there haven't been that many critical vulnerabilities found, and even those are harder to exploit because of the diversity" of distributions.
However, Cox also warned that past performance was no guarantee of future results, unless the open-source community develops technologies to stop future Linux vulnerabilities.
He said it is also important to develop metrics to measure security for both open and closed source software, including the security response times, transparency in disclosing vulnerabilities, and how fast patches are deployed.
Genes pointed out that Microsoft is beginning to address security issues in developing Vista, in part by restricting administrative access.
"Microsoft is on the right track. It's now promoting access control, which was introduced by Unix. No one thinks of running Unix in root," Genes said.
Tom Espiner of ZDNet UK reported from London.