Open Source: Look it up in your gut

Posted by in Analysis on Jun 8, 2010

There’s an interesting reader response on Network World today about an IT shop where the administrators aren’t allowed to use open source software. Apparently, due to “security concerns”, users aren’t allowed to use open source software.  The article itself is ultimately a dodge, in that it points out anecdotal reasons for open source being more secure (using TrueCrypt and PasswordSafe as examples), but really doesn’t dig into the meat of the question that much.

I’ve talked about the question before – about whether or not open source really is or isn’t more secure than closed source.  My conclusion originally was “it depends” – meaning, my belief was that the answer to that question will depend on which open source project you are comparing to which commercial development organization.  But, interestingly, there’s some new academic research out there that can shed some light on the question.  It’s a hell of a read.

So, the paper (entitled “An Empirical Analysis of Exploitation Attempts based on Vulnerabilities in Open Source Software“) and I suggest you read it.  Right now.  Don’t wait.  Because most of us have been “looking it up in our gut” (i.e. not basing our conclusions on data – because data wasn’t available”) Now it is. So go check it out right now.

Check this out:

My theoretical development and empirical results indicate that, compared with closed source soft-
ware, vulnerabilities in open source software: (a) have increased risk of exploitation, (b) diffuse
sooner and with higher total penetration, and (c) increase the volume of exploitation attempts.

Note that he’s not saying that open source is worse from a security perspective vs. closed source (“.. it would be incorrect to conclude that open source is strictly worse for software security.”). What he’s actually saying is that the exploitability distribution differs according to where the project is in the lifecycle. So, exploitation is more pronounced. It’s very interesting reading if you have some time to commit to doing so.

Search
TwitterRssFacebook