Over the last few years, particularly as server-based deployments have eaten away at the software giant's bottom line, Microsoft has routinely derided open source software as being less secure than its own closed-source proprietary offerings. Microsoft executives used to routinely take security-related pot shots at Linux and more recently (a little less than a year ago), the company funded a study (the findings of which were presented at last year's RSA conference under dubious conditions) that backed up Microsoft's long standing assertions that Linux is riskier than Windows.
<digression>Even when vendors leave the methodologies behind such studies up to the researchers, I take them with a grain of salt. That's because the vendor controls whether the study gets published or not. In other words, if the results don't favor the vendor(s) who commission the studies, those studies almost never see the light of day. </digression>
Now, with its increasing reliance on open source software, the US Government (Dept. of Homeland Security) wants to get to the bottom of the burning question, according to News.com:
The U.S. Department of Homeland Security is extending the scope of its protection to open-source software...Through its Science and Technology Directorate, the department has given $1.24 million in funding to Stanford University, Coverity and Symantec to hunt for security bugs in open-source software and to improve Coverity's commercial tool for source code analysis....The list of open-source projects that Stanford and Coverity plan to check for security bugs includes Apache, BIND, Ethereal, KDE, Linux, Firefox, FreeBSD, OpenBSD, OpenSSL and MySQL....
No matter how this news is sliced, it isn't good for providers of commercial alternatives to these open source products. Nor is the timing. If there are security problems (as Microsoft has long asserted), this program is certain to root many of them out to a point that, from a security perspective, the aforementioned open source projects would be on par with their closed-source counterparts (if they're not there already.... which many believe they are) or even worse, improve them beyond the securability of those closed-source counterparts. OK. So, what can $1.24 million really get you. 10 bug fixes? 20? 100? Even so, what could be worse for competitors to open source than the US government taking measures to make open source even better. Not only that, but the move comes at a time when Microsoft -- which itself has taken a beating on the security front -- is looking to improve its own security image, relatively speaking.