'

Trend Micro: open source is more secure

The antivirus vendor has waded into the debate over the merits of open and closed code, while Linux vendor Red Hat takes a cautious approach

Antivirus vendor Trend Micro is claiming that open source software is inherently more secure than proprietary software such as Microsoft Windows.

Trend claimed that one reason open source software has fewer security issues is the variety of Linux distributions. Although they use the same kernel, if one distribution is compromised the same piece of malware may not work on a different distribution, the company said on Monday.

"Open source is more secure. Period," Raimund Genes, chief technical officer for anti-malware at Trend, told ZDNet UK. "More people control the codebase, they can react immediately to vulnerabilties, and open source doesn't have so much of a problem with legacy code because of the number of distributions."

Genes said open source developers "openly talk about security", so patches are "immediate — as soon as something happens", whereas proprietary vendors with closed code have to rely purely on their own resources to push patches out.

However, Genes claimed that Linux servers needed to be hardened to make them "really secure", and could not be used without altering the default security settings.

Mark Cox, security response team lead for open source vendor Red Hat, agreed that the Linux community shares security knowledge, but said it was wrong to say Linux distributions are not secure out-of-the-box.

"We always make sure we pass knowledge back upstream so everyone who uses the Linux kernel can benefit," Cox told ZDNet UK. "Red Hat out of the box comes with default SELinux, a firewall... security is on by default, although it is possible to further harden it," he said.

Cox was reluctant to compare the relative security merits of open source and proprietary software, but said that Linux was affected by fewer critical vulnerabilities.

"Whether it's open source or closed source doesn't really make a difference — the issue is whether the software has been designed with security in mind," said Cox. "Ten years ago, Apache was designed to address buffer overflows, and has been successful. It's harder to write a worm for Linux because there haven't been that many critical vulnerabilities found, and even those are harder to exploit because of the diversity [of distributions]," Cox added.

However, Cox also warned that past performance was no guarantee of future results, unless the open source community develops technologies to stop future Linux vulnerabilities.

Cox said it is also important to develop metrics to measure security for both open and closed source software, including the security response times, transparency in disclosing vulnerabilities, and how fast patches are deployed.

Genes pointed out that Microsoft is beginning to address security issues in developing Vista, in part by restricting administrative access.

"Microsoft is on the right track. It's now promoting access control, which was introduced by Unix. No one thinks of running Unix in root," said Genes.