Over the last couple of years, as security vulnerability reports have piled up on products from such big vendors as Microsoft Corp., Oracle Corp. and Cisco Systems Inc., open-source advocates have snickered. If only those vendors would release their source code and let the open-source community at it, all their problems would go away, they said. And when the Code Red and Nimda worms chewed their way through hundreds of thousands of unpatched Microsoft Internet Information Services servers last year, Apache users sat back and smiled, believing nothing like that could happen to them.
Then it did.
In late July, researchers found several flaws in the OpenSSL tool kit, which is commonly used for secure transmissions on Apache servers. About six weeks later, someone released a worm called Slapper that exploited the vulnerability and not only installed a back door on each infected server but also turned machines using OpenSSL into a waiting army of zombies by dropping in a DDoS (distributed-denial-of-service) tool kit as well.
The infected machines can communicate with one another via a private, peer-to-peer network. Security experts predicted that it was only a matter of time before someone used the thousands of compromised servers to launch a devastating DDoS attack.
Despite the mantra that open-source software is more secure thanks to its communal writing and review process, the vulnerabilities in OpenSSL were all buffer overruns, the most common and, many say, most preventable flaws in software.
That such flaws were found in an open-source tool kit and subsequently exploited by a destructive worm comes as no surprise to some experts. Still, its enough to prompt some to question the long-held belief that open-source software is more secure.
“Linux is awful. There are no design specs. Everybody and their half-brother who knows some [C code] writes code for it, and they all have the same lack of knowledge,” said Gene Spafford, professor of computer science at Purdue University, in West Lafayette, Ind., and an expert on network security. “Its who writes it and whether its planned [that makes a difference], not who looks at the code.”
Despite such rumblings, however, few open-source believers are ready to drop Linux or other open-source products because of newly spawned security concerns. Mike Prince, for example, thought long and hard about security before deciding, in 1999, to roll out Linux companywide to thousands of users in hundreds of locations across the country. By the time Prince made the call, however, the CIO at Burlington Coat Factory Warehouse Corp. had no doubts about the reliability of the new software.
As a longtime user of a variety of back-office open-source applications, Prince said he believed the security of the software was a given. And he hasnt changed his mind.
“The security of the open-source software hasnt been an issue. Its excellent,” said Prince, at Burlingtons headquarters in Burlington, N.J. “On the operating system side, although there are loopholes found, the speed with which theyre fixed and the commitment to making the problem known and resolved are excellent. The stability rivals the best of the proprietary Unix systems. The whole security model in Linux is better than in Windows.”
: Whos Right?”>
So whos right? Does patent-protected development behind closed doors produce more secure software? Or does the collaborative, open-source community, where thousands of smart, independent developers are poised to spot and fix security problems?
Many IT managers and security experts say its not that simple. Security, they insist, comes down to attention to detail and careful coding, not whether the code is freely available on the Internet or locked in a vault on a corporate campus.
“Unless theres a great deal of discipline underlying the development, theres no difference in the security [of proprietary and open-source software]. Open source is not inherently more secure,” said Peter Neumann, principal scientist at SRI International, in Menlo Park, Calif., and a security and networking expert who in 1965 helped design the file system for Multics, which is still considered one of the most secure and reliable operating systems ever written. “If everyone has the same bad skills, all the eyeballs in the world wont help you. Unless theres discipline, you still come up with garbage.”
Advocates of Linux and other open-source software often cite users ability to modify the code and adapt it to their environments as a key advantage of open-source applications. However, that can be a drawback if the people doing the modifications arent well-trained.
Some devotees say the real strength of open source lies in its transparency and the flexibility it gives customers.
“The transparency gives you security because you can pick and choose whats in your environment,” said John Alberg, co-founder and vice president of engineering at Employease Inc., an Atlanta-based developer of human resources software and a user of numerous open-source applications.
“Commercial software tends to have a lot of doors you dont know about,” Alberg said. “What open source does is allow you to manage a more secure environment. There are fewer moving parts in the products, and, hence, you have fewer problems.”
“Open-source software is developed by people who are more attuned to security. Commercial software vendors are trying to hit feature sets and target dates,” said Dan Agronow, vice president of technology at Weather Channel Enterprises Inc.s Weather.com site, in Atlanta, which uses Linux, Apache and other open-source software. “With open source, it isnt released until its ready, and thats it. But we still pay a lot of attention to security. You have to.”
To the extent that open-source products such as Linux still suffer security holes, however, they may soon get help from a small number of startups dedicated to hardening the operating system.
Guardian Digital Inc., of Allendale, N.J., recently released EnGarde Secure Linux Professional, which features a litany of added security functionality, such as a network gateway firewall, a network IDS (intrusion detection system) and a host IDS, and a security control center. Even the National Security Agency, of Fort Meade, Md., has gotten in on the act, producing its own Security Enhanced Linux distribution.
For as much criticism as Microsoft takes for the lack of security in its products, some Linux distributions have begun to experience more problems. Red Hat Inc., of Raleigh, N.C., for example, has issued fixes for 35 security problems in its Red Hat Linux 7.3 since June, while Microsoft, of Redmond, Wash., has released six patches in the same time period for Windows XP Pro. However, the list of patches included in the new Service Pack 1 for XP Pro shows 30 security-related fixes, including several that were never publicized or issued separately.
: Is All Software Insecure?”>
But, some observers say, comparisons of bug reports simply prove that all software is insecure. The real determinant of security is competent programming and code review, they say.
“I dont think its a good idea to have one rule as to whether code should be open. If Microsoft opened the [Internet Explorer] code now, it would probably be very bad because its full of all kinds of bugs. But if it had been open from the start, that would have been good,” said Avi Rubin, a principal researcher in the secure systems research department at AT&T Labs-Research, in Florham Park, N.J.
“Apache is a good example. Anything like that that has a formal structure and people working on it is good,” Rubin said. “Part of the beauty of the open-source process is that they take into account that vulnerabilities will happen, so theyre prepared for it. The people making decisions are responding out of pride, not from a business perspective.”
Indeed, the response to open-source software security problems that Rubin has experienced is one of the things that convinced Burlington Coat Factorys Prince that the open-source community was more dedicated to security than commercial vendors.
Prince once found a bug in an open-source operating system utility and posted a question about it to a newsgroup. The author of the utility soon replied, confirming the problem, telling Prince how to work around it and saying he had a new version of the utility on the way that would fix the bug.
“Thats what open source does. They have brilliant people who, once they understand the problem, are probably in competition with each other to fix it,” Prince said. “There hasnt been a minute of time wasted being jerked around.”
However, even hard-core advocates of open-source software concede that simply making source code available doesnt make an application more secure.
“What really makes a difference is having someone who knows what theyre doing writing the code and looking at the code,” said Crispin Cowan, chief scientist at WireX Communications Inc., in Portland, Ore., a developer of secure Linux solutions. “But I think that the open-source process does enable greater security.”
- eWEEK Labs: Open Source Quicker at Fixing Flaws
- Six Questions to Ask About Open Source
- Open Source Gets IT Scrutiny
- Open-Source Enterprise