: Is All Software Insecure?"> But, some observers say, comparisons of bug reports simply prove that all software is insecure. The real determinant of security is competent programming and code review, they say. "I dont think its a good idea to have one rule as to whether code should be open. If Microsoft opened the [Internet Explorer] code now, it would probably be very bad because its full of all kinds of bugs. But if it had been open from the start, that would have been good," said Avi Rubin, a principal researcher in the secure systems research department at AT&T Labs-Research, in Florham Park, N.J.Indeed, the response to open-source software security problems that Rubin has experienced is one of the things that convinced Burlington Coat Factorys Prince that the open-source community was more dedicated to security than commercial vendors. Prince once found a bug in an open-source operating system utility and posted a question about it to a newsgroup. The author of the utility soon replied, confirming the problem, telling Prince how to work around it and saying he had a new version of the utility on the way that would fix the bug. "Thats what open source does. They have brilliant people who, once they understand the problem, are probably in competition with each other to fix it," Prince said. "There hasnt been a minute of time wasted being jerked around." However, even hard-core advocates of open-source software concede that simply making source code available doesnt make an application more secure. "What really makes a difference is having someone who knows what theyre doing writing the code and looking at the code," said Crispin Cowan, chief scientist at WireX Communications Inc., in Portland, Ore., a developer of secure Linux solutions. "But I think that the open-source process does enable greater security." Related Stories:
eWEEK Labs: Open Source Quicker at Fixing Flaws
Six Questions to Ask About Open Source
Open Source Gets IT Scrutiny
"Apache is a good example. Anything like that that has a formal structure and people working on it is good," Rubin said. "Part of the beauty of the open-source process is that they take into account that vulnerabilities will happen, so theyre prepared for it. The people making decisions are responding out of pride, not from a business perspective."