Security Basics mailing list archives
RE: Why open source software is more secure
From: "Robinson, Sonja" <Sonja.Robinson () fticonsulting com>
Date: Mon, 12 May 2008 12:18:46 -0400
Being open source does not necessarily mean more secure - two completely different things. Open Source means you have the potential for more people to objectively review it and potentially make it more efficient and more secure or modify it in ways that suit their particular needs- better, stronger, faster is the ultimate goal. It also means that someone could also potentially inject code into it that is malicious if people aren't diligent and perform hash comparisons before installing OR that the code could have more bugs (too many cooks in the kitchen). If you code, you can read the code to determine what, if any, adverse effects on your system before compilation and install. If you do not code, you close your eyes and pray like with any other application. It may make it easier to seek exploits if someone is actually looking for them -this is good and bad depending on intent of seeker. You're still relying on other programmers unless you plan on reading all of the visible and "invisible" code. That being said, OSS can't hide behind "security through obscurity" either that proprietary code can. Someone will discover the issue in Closed Source eventually. CS may delay discovery but it does not eliminate it. Obviously some people believe that their code is intellectual property and do not want it disclosed to everyone. It's up to the individual or company to decide which is best for them. Now that my two cents are in, this same conversation will rage again for the next 20 years as it has for the past 30.... Sonja DISCLAIMER: These are my own opinions and not that of my employer, yadda, yadda yadda.... -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Alexander Klimov Sent: Monday, May 12, 2008 10:44 AM To: security-basics () securityfocus com Subject: Re: Why open source software is more secure It is not clear what is "more secure". For example, if we define that software is secure if it has no exploitable bugs, then it is either secure or it is not. I suspect that there is only a small number of non-trivial secure software and all of them are happened to be OSS -- this is not because open process magically makes software secure, but because these specimens were written by security zealots. Why most of software is not secure? It is very simple to answer: because nobody really cares (even if they claim they do, "normal" people do not behave accordingly). Most of the users do not care and thus commercial software is not secure (by the way, according to EULA liability is usually limited to the price you pay to get the software); most of the developers are not security zealots and thus OSS software is not secure. -- Regards, ASK
Current thread:
- Why open source software is more secure sapran (May 08)
- Re: Why open source software is more secure Ali, Saqib (May 08)
- Re: Why open source software is more secure Chad Perrin (May 08)
- RE: Why open source software is more secure David Harley (May 08)
- RE: Why open source software is more secure Hayes, Ian (May 08)
- Re: Why open source software is more secure Chad Perrin (May 08)
- Re: Why open source software is more secure aliasghar.toraby () gmail com (May 08)
- Re: Why open source software is more secure Adriel Desautels (May 08)
- Re: Why open source software is more secure Ivan . (May 09)
- Re: Why open source software is more secure Alexander Klimov (May 12)
- RE: Why open source software is more secure Robinson, Sonja (May 12)
- RE: Why open source software is more secure Craig Wright (May 13)
- RE: Why open source software is more secure Hayes, Ian (May 13)
- Re: Why open source software is more secure Chad Perrin (May 13)
- RE: Why open source software is more secure Robinson, Sonja (May 12)
- Re: Why open source software is more secure Ali, Saqib (May 08)
- RE: Why open source software is more secure Craig Wright (May 13)
- <Possible follow-ups>
- Re: Why open source software is more secure zenmasterbob123 (May 08)
- RE: Why open source software is more secure Murda Mcloud (May 09)
- RE: Why open source software is more secure Chuck Taylor (May 09)
- RE: Why open source software is more secure Nick Vaernhoej (May 09)
- RE: Why open source software is more secure Murda Mcloud (May 09)