Open source vs. Windows: Security debate rages

It's a topic of fierce debate among high-tech cognoscenti: What's more secure - "open source" code such as Linux and Apache, or proprietary "closed source" operating systems and applications, Microsoft's in particular?

The regularity with which Microsoft has taken to announcing vulnerabilities and consequent software fixes has left few cheering about its security. In contrast, high expectations endure for open source, with proponents arguing that it's inherently more secure because a much larger set of developers can read the code, vet it and correct problems.

"I'm struggling to think of anyone who would argue the other way," says Adam Jollans, chief Linux technologist at IBM Software Group.

"Discovery is different in the open source and closed source approach," Jollans says. "Because source code is visible to lots of people, if there is a security issue, it tends to be spotted earlier. The open source community isn't shy about criticizing bad code." He added that a version of Linux, SuSE Enterprise Server 9, in March became the first to earn the government-approved International Common Criteria certification for security level 4, comparable to what Microsoft achieved with Windows Server 2000 in security test reviews three years ago.

Tim Clarke, IT director at Manifest, a maker of electronic voting and research tools for investment firms in England, feels much the same way about open source security. He says open source developers are "more agile and feel more exposed on a personal level to criticism at whatever level that might be aimed at their products."

Buying into the philosophy

Thus, open source developers are "more able to respond quickly and to use new and more secure techniques. Because they perform for peers' kudos, this, too, behooves them to perform well," Clarke says.

"Open source development is centered around operating systems designed many years ago with security and Internet connectivity as a base requirement," he adds.

Open source is foremost an "ethos" that "is precisely the best social environment for the best development of anything," Clarke maintains. "By contrast, the principle culprit of poor security, Microsoft, has several major issues with producing secure code."

"Microsoft seems lax to security threats," says Robert Swiercz, managing director of the Portal of Montreal, the city's Web site. "I have less and less ability to trust them." He, too, expresses confidence in the open source community, saying, "this is where the solutions are coming from."

However, some call these assumptions into question and assert there's a lack of accountability in fixing open source. A number of research firms are ready to puncture the belief that open source is by its very nature superior.

In its report, "Securing Open Source Infrastructure ," Burton Group dispels any notion that open source software is inherently more secure simply because more people can look at it.

"Experience shows this simply isn't true," the research firm states, calling it "the myth of more eyes," citing case after case where no one spotted critical flaws in open source code.

Burton Group also points out the potential for developers placing back doors in open source code, and that when it comes time for the open source community to fix the inevitable vulnerabilities, businesses using it might come to rely on the "whim of individuals rather than organizations they are more accustomed to dealing with," Burton Group notes. The firm adds that dealing with traditional vendors isn't necessarily any better.

When it comes to closed source, there's a single point of contact - whether it be Microsoft, Oracle or any other vendor - where security flaws that come to light get addressed, typically by issuing a software patch. The situation in the open source world is different, IBM's Jollans says.

If someone identifies a security vulnerability in Linux , IBM - as well as other Linux-supporting vendors - might each respond with their own "emergency patch," which also would be shared as an interim fix with the Linux community.

The intention, he says, is to have a permanent change approved by the inner circle of Linux code-writers, including Andrew Morton, the Linux kernel maintainer at the Open Source Development Labs . If the code change to fix the security flaw is significant, it might also require the approval of the ultimate Linux authority, Linus Torvalds.

IBM is going to rush out with an emergency Linux fix, if needed, regardless of what the Open Source Development Labs does. "The prime consideration is to support our customers," Jollans says.

Starts with the basics

Stacey Quandt, analyst at research firm Robert Frances Group, argues for the open source security advantage in a report she wrote last March.

According to Quandt, Windows "is intentionally designed to support application functionality in the operating system and deep application integration in the Windows kernel." This "tight integration" in Windows, which is not the case with Linux, "increases the number of security exposures."

To Quandt, the security remediation process is wholly different in the two camps.

"The majority of reported flaws in Windows come from security firms or from hackers, with exploits often appearing first 'in the wild' and with countermeasures starting with commercial anti-virus updates prior to an operating system patch," she states in her report. "For the open source operating systems, security flaws are more frequently reported by university researchers or developers within the open source community, who often provide the source to correct the underlying problem with the report of the flaw (though most enterprise users will apply those patches only when released by their distribution vendors)."

The number of vulnerabilities in open source vs. closed source - and how fast they get fixed, respectively - stirs up debate on both sides.

Research firm Security Innovation caused an uproar when it asserted in a study - paid for by Microsoft - that a Web server based on open source code had twice as many security vulnerabilities recorded in 2004 as a comparable Microsoft-based Web server.

The study pitting Red Hat Linux and open source applications against Microsoft products asserted it took the open source community twice as long to fix the vulnerabilities discovered in 2004.

Red Hat didn't challenge the number of reported vulnerabilities but said it would define fewer of them as "critical" as listed in the Security Innovation report. "Customers are interested in how quickly we respond to the issues that matter most," said Red Hat engineer Mark Cox in a statement.

Herbert Thompson, director of research and training at Security Innovation, says the study will withstand scrutiny.

"When folks talk about Linux and Windows security, a lot of religion gets involved. We wanted to take the religion out of it," he says.

Open source vs. Windows security

Research firm Security Innovation evaluated both and found:
Web server role:5231.3

Windows 2003, IIS 6.0, SQL Server 2000, and ASP.NET:

Vulnerabilities needing patches, 2004:

Average “days of risk” before patch:

Web server role:132. Default configuration, 17469.6. Default configuration, 71.4.

Red Hat Linux 3.0, Apache Web server, MySQL and PHP:

Vulnerabilities needing patches, 2004: Minimally configured Linux,

Average “days of risk” before patch:

However, critics contend that a direct comparison of how Microsoft and the open source world go about discovering and fixing software flaws is unfair.

"Look, if I divulge a vulnerability, I have to worry that Microsoft will sue me," says William Hurley, CEO at start-up Symbiot, which makes a real-time visualization tool for open source security tools, including Snort and nMap . "But hiding a vulnerability doesn't take it out of the realm of reality."

Mistakes are made in both open source and in Microsoft products, Hurley says, and it's better for the world to know of a security problem so there can be a workaround for it even if no patch is available for a month.

A Microsoft spokeswoman says the company does not sue those who publicize a vulnerability but does encourage responsible disclosure. Some IT managers say they have deep reservations about open source.

"There's no quality control on some of it," says Jim Cupps, information security officer in the North American division of SAPPI Fine Paper. He says he buys proprietary tools, including Core Security's vulnerability-assessment tool, because a lot of the open source tools don't seem to be thoroughly tested or kept up to date when new exploits come out.

Other IT managers say they like a lot of open source security tools and applications but corporate policies prevent them from using them.

"We don't do open source because my lawyer says there's no one to sue," says Phil Maier, vice president of information security at Inovant, Visa's technology deployment division. "The lawyers had the final say."

Copyright © 2005 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022