eWeek Labs: Open Source Quicker at Fixing Flaws

The real question for it organizations isn't whether open-source software is more secure than proprietary software but which type of software is fixed fastest.

The real question for it organizations isnt whether open-source software is more secure than proprietary software but which type of software is fixed fastest.

Humans code both open-source and proprietary software, which means that mistakes will be made, and the resulting holes need to be reported and closed. Right now, open source has it all over proprietary software when it comes to owning up to and resolving problems.

Recent history provides striking examples of the approaches open-source and proprietary software vendors take to fixing security problems.

Two key open-source applications were hit recently by serious security problems.

In June, a flaw was found in the popular, historically secure Apache Web server that made it possible to remotely exploit code on a vulnerable system. And just this month, the Slapper worm spread to thousands of systems by taking advantage of a hole in the OpenSSL program.

These were serious problems, and in both cases, the developers of the programs responded quickly. The Apache Software Foundation made a patch available two days after the Web server hole was announced. In the case of OpenSSL, a patch was available the day the flaw was announced.

Compare this with how security problems were handled recently in the proprietary world.

A serious flaw was found in Windows XP recently that made it possible to delete files on a system using a single URL. Microsoft Corp. quietly fixed this problem in Windows XP Service Pack 1, without notifying users of the problem.

A more direct comparison can be seen in how Microsoft and the KDE Project responded to an SSL (Secure Sockets Layer) vulnerability that made the Internet Explorer and Konqueror browsers, respectively, potential tools for stealing, among other things, credit card information.

The day the SSL vulnerability was announced, KDE provided a patch. Later that week, Microsoft posted a memo on its TechNet site basically downplaying the problem.

Of course, there have been open-source problems that werent patched quickly. And software vendors, including Microsoft, often respond quite quickly to security holes.

But, in general, open-source organizations react quickly and openly to problems while software vendors instinctively cover up, deny and delay. In addition, open-source organizations almost always fix vulnerabilities with small, focused patches, thus limiting unanticipated side effects. Vendors such as Microsoft, on the other hand, tend to provide multiple patches and fixes all rolled up into service packs, which are notorious for creating new problems while fixing old ones.

In the end, it comes down to motivation. For open-source developers, the most important thing is credibility, which means taking problems seriously. Most proprietary software vendors, on the other hand, say that features come before security and seem to believe that it is better to sweep a problem under the rug than to admit a mistake openly.