RE: Why open source software is more secure

["Robinson, Sonja" <Sonja.Robinson () fticonsulting com>]

Being open source does not necessarily mean more secure - two completely
different things.  Open Source means you have the potential for more
people to objectively review it and potentially make it more efficient
and more secure or modify it in ways that suit their particular needs-
better, stronger, faster is the ultimate goal.  It also means that
someone could also potentially inject code into it that is malicious if
people aren't diligent and perform hash comparisons before installing OR
that the code could have more bugs (too many cooks in the kitchen). If
you code, you can read the code to determine what, if any, adverse
effects on your system before compilation and install.  If you do not
code, you close your eyes and pray like with any other application.  It
may make it easier to seek exploits if someone is actually looking for
them -this is good and bad depending on intent of seeker.  You're still
relying on other programmers unless you plan on reading all of the
visible and "invisible" code.

That being said, OSS can't hide behind "security through obscurity"
either that proprietary code can.  Someone will discover the issue in
Closed Source eventually.  CS may delay discovery but it does not
eliminate it.  Obviously some people believe that their code is
intellectual property and do not want it disclosed to everyone.  It's up
to the individual or company to decide which is best for them.  

Now that my two cents are in, this same conversation will rage again for
the next 20 years as it has for the past 30....

Sonja

DISCLAIMER:  These are my own opinions and not that of my employer,
yadda, yadda yadda....




-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Alexander Klimov
Sent: Monday, May 12, 2008 10:44 AM
To: security-basics () securityfocus com
Subject: Re: Why open source software is more secure

It is not clear what is "more secure". For example, if we define that
software is secure if it has no exploitable bugs, then it is either
secure or it is not.

I suspect that there is only a small number of non-trivial secure
software and all of them are happened to be OSS -- this is not because
open process magically makes software secure, but because these
specimens were written by security zealots.

Why most of software is not secure? It is very simple to answer:
because nobody really cares (even if they claim they do, "normal" people
do not behave accordingly). Most of the users do not care and thus
commercial software is not secure (by the way, according to EULA
liability is usually limited to the price you pay to get the software);
most of the developers are not security zealots and thus OSS software is
not secure.

--
Regards,
ASK