Is Open-Source More Secure?
Open-source software has faced both criticism and praise for the last 15 or so years since it broke into the IT scene. Misconceptions, or myths, about open-source software have plagued the scene from the very beginning.
Closed-Source Programmers Are Liable for Their Software
One of the largest complaints about open-source software, in the corporate environment, is that there isn’t anyone to point a finger at when problems arise. Simply put, the support isn’t there for open-source software. This complaint, however, isn’t accurate. All of the support information you need is provided by the nature of open-source software. The source code can be downloaded for free and is often heavily documented. In addition, the vast majority of open-source software developers offer cost-based support options for large companies. Moving further with this, most closed-source vendors will not allow you to view their source code or let alone make changes to it. Many open-source software vendors will continue to support a modified version of their software.
Open-Source Software Developers Create Backdoors in Their Software
Another misconception that simply doesn’t hold water is that open-source software developers plant bugs, Trojans and backdoors in their software when building it. Although this probably occurs on occasion, it is not common. Interestingly enough, it really doesn’t buy a malicious developer much because the software’s source-code is readily available. Again, the nature of open-source software provides that safety of seeing exactly how it works. If you think there might a problem, simply take that portion of the code out. The most interesting part of this myth is that closed-source programmers most likely build backdoors in their programs as well. The problem is you have no idea what a closed-source program runs on or how many Trojans, bugs or backdoors exist. It would be the equivalent of buying a car with its hood welded shut. You would just have to take the word of the salesman that it runs great and has a new motor. Open-source software would be the same car but have an operational hood that opens, with the entire engine blueprinted and documented, including all maintenance since the car rolled off the assembly line. Chances are that the latter car would be free of charge. Which car you would buy?
Closed-Source Slows Attacks
Because open-source software is by nature all-revealing, one might think that it would make creating exploits for the software easier. It should be intuitive that closed-source software would circumvent this problem, right? Wrong. Crackers have programs called decompilers or disassemblers that will reverse engineer most closed-source software. This will essentially provide an attacker with a blueprint to the closed-source software. Now, we are at a major disadvantage because there are only two groups that know about existing vulnerabilities, the crackers and the vendor. Two scenarios will most likely follow:
A) The hackers release a zero day exploit, wreaking havoc on all users of the software, and the vendor will patch as soon as they can. This could take weeks or months, all the while, you are struggling to stay secure.
B) The vendors find the vulnerability and either release a patch as soon as they can or choose to leave it be, accepting the risk that an exploit might be developed.
Let’s take the same scenario, this time we will be using open-source software.
A cracker reviews the source code for a popular open-source software suite. After finding a major vulnerability, the cracker releases a vicious virus.
A) The thousands of developers that took part in building the software come together and quickly create a patch. This could take comparable time to a closed-source vendor.
B) You decide to patch it yourself. After studying the vulnerability you simply make a few changes to the source and recompile the software.
Because the developers of open-source software are often users themselves, they will usually work hard to ensure vulnerabilities are patched quickly. Even if they don’t, remember, this is open-source software, so you can do it yourself. Often, other users of the software will develop a fix and post it online for others to use, furthering the benefits of open-source software.
Open-source software provides the flexibility to allow an application to be secure. There are many variables that play into the security of an operating system or application. Being open-source simply gives the application the potential to be more secure, never guaranteeing it. Always remember that simply because software is classified as open-source software, it should not be considered secure. Is open-source software without a doubt more secure than closed-source software? Not necessarily, but most people wouldn’t buy a car with the hood welded shut.
Brad Causey is a security consultant and owns Zero Day Consulting, an incident response and penetration testing company in Alabama. Brad can be reached at firstname.lastname@example.org.