Open Source: A False Sense of Security?

As hackers ramp up attacks, some question just how safe products are.

Over the last couple of years, as security vulnerability reports have piled up on products from such big vendors as Microsoft Corp., Oracle Corp. and Cisco Systems Inc., open-source advocates have snickered. If only those vendors would release their source code and let the open-source community at it, all their problems would go away, they said. And when the Code Red and Nimda worms chewed their way through hundreds of thousands of unpatched Microsoft Internet Information Services servers last year, Apache users sat back and smiled, believing nothing like that could happen to them.

Then it did.

In late July, researchers found several flaws in the OpenSSL tool kit, which is commonly used for secure transmissions on Apache servers. About six weeks later, someone released a worm called Slapper that exploited the vulnerability and not only installed a back door on each infected server but also turned machines using OpenSSL into a waiting army of zombies by dropping in a DDoS (distributed-denial-of-service) tool kit as well.

The infected machines can communicate with one another via a private, peer-to-peer network. Security experts predicted that it was only a matter of time before someone used the thousands of compromised servers to launch a devastating DDoS attack.

Despite the mantra that open-source software is more secure thanks to its communal writing and review process, the vulnerabilities in OpenSSL were all buffer overruns, the most common and, many say, most preventable flaws in software.

That such flaws were found in an open-source tool kit and subsequently exploited by a destructive worm comes as no surprise to some experts. Still, its enough to prompt some to question the long-held belief that open-source software is more secure.

"Linux is awful. There are no design specs. Everybody and their half-brother who knows some [C code] writes code for it, and they all have the same lack of knowledge," said Gene Spafford, professor of computer science at Purdue University, in West Lafayette, Ind., and an expert on network security. "Its who writes it and whether its planned [that makes a difference], not who looks at the code."

Despite such rumblings, however, few open-source believers are ready to drop Linux or other open-source products because of newly spawned security concerns. Mike Prince, for example, thought long and hard about security before deciding, in 1999, to roll out Linux companywide to thousands of users in hundreds of locations across the country. By the time Prince made the call, however, the CIO at Burlington Coat Factory Warehouse Corp. had no doubts about the reliability of the new software.

As a longtime user of a variety of back-office open-source applications, Prince said he believed the security of the software was a given. And he hasnt changed his mind.

"The security of the open-source software hasnt been an issue. Its excellent," said Prince, at Burlingtons headquarters in Burlington, N.J. "On the operating system side, although there are loopholes found, the speed with which theyre fixed and the commitment to making the problem known and resolved are excellent. The stability rivals the best of the proprietary Unix systems. The whole security model in Linux is better than in Windows."