: Whos Right?"> So whos right? Does patent-protected development behind closed doors produce more secure software? Or does the collaborative, open-source community, where thousands of smart, independent developers are poised to spot and fix security problems? Many IT managers and security experts say its not that simple. Security, they insist, comes down to attention to detail and careful coding, not whether the code is freely available on the Internet or locked in a vault on a corporate campus.Advocates of Linux and other open-source software often cite users ability to modify the code and adapt it to their environments as a key advantage of open-source applications. However, that can be a drawback if the people doing the modifications arent well-trained. Some devotees say the real strength of open source lies in its transparency and the flexibility it gives customers. "The transparency gives you security because you can pick and choose whats in your environment," said John Alberg, co-founder and vice president of engineering at Employease Inc., an Atlanta-based developer of human resources software and a user of numerous open-source applications. "Commercial software tends to have a lot of doors you dont know about," Alberg said. "What open source does is allow you to manage a more secure environment. There are fewer moving parts in the products, and, hence, you have fewer problems." "Open-source software is developed by people who are more attuned to security. Commercial software vendors are trying to hit feature sets and target dates," said Dan Agronow, vice president of technology at Weather Channel Enterprises Inc.s Weather.com site, in Atlanta, which uses Linux, Apache and other open-source software. "With open source, it isnt released until its ready, and thats it. But we still pay a lot of attention to security. You have to." To the extent that open-source products such as Linux still suffer security holes, however, they may soon get help from a small number of startups dedicated to hardening the operating system. Guardian Digital Inc., of Allendale, N.J., recently released EnGarde Secure Linux Professional, which features a litany of added security functionality, such as a network gateway firewall, a network IDS (intrusion detection system) and a host IDS, and a security control center. Even the National Security Agency, of Fort Meade, Md., has gotten in on the act, producing its own Security Enhanced Linux distribution. For as much criticism as Microsoft takes for the lack of security in its products, some Linux distributions have begun to experience more problems. Red Hat Inc., of Raleigh, N.C., for example, has issued fixes for 35 security problems in its Red Hat Linux 7.3 since June, while Microsoft, of Redmond, Wash., has released six patches in the same time period for Windows XP Pro. However, the list of patches included in the new Service Pack 1 for XP Pro shows 30 security-related fixes, including several that were never publicized or issued separately.
"Unless theres a great deal of discipline underlying the development, theres no difference in the security [of proprietary and open-source software]. Open source is not inherently more secure," said Peter Neumann, principal scientist at SRI International, in Menlo Park, Calif., and a security and networking expert who in 1965 helped design the file system for Multics, which is still considered one of the most secure and reliable operating systems ever written. "If everyone has the same bad skills, all the eyeballs in the world wont help you. Unless theres discipline, you still come up with garbage."