Open vs Closed - Which is more secure?

OPEN vs CLOSED: Which is more secure? Yossi Hasson

http://twitter.com/yossihasson

yossih@synaq.com

OPEN VS CLOSED

WHICH IS MORE

SECURE

I’m closed. I’m more

secure Open is better!

The debate

5

the system must not require secrecy and can be stolen by the enemy without

causing trouble. “

” - Auguste Kerckhoff, 1883

Kerckhoff’s Principle

at SYNAQ we believe that good

OPEN SOURCE projects

lead to better software being developed and are

therefore generally more secure

WHY

WHAT IS OPEN

SOURCE

1983

Free software' is a matter of liberty, not price. To understand the concept, think of ‘free’ as in ‘free speech’

not as in ‘free beer’ “

”

Richard Stallman

Hello everybody out there using minix. I'm doing a (free) operating system (just a hobby, won't be big

and professional like gnu) for 386(486)AT clones. “

”

1991

Linus Torvalds

1998

People are imperfect. What we have learned through the ages, though, is that combining lots of people creates a better end result, ...

For some reason, we forgot that when it came to developing software.

” “

Eric Raymond

1.  Free Redistribution 2.  Source Code 3.  Derived Works 4.  Integrity of The Author’s Source Code 5.  No Discrimination Against Persons or Groups 6.  No Discrimination Against Fields of Endeavor 7.  Distribution of License 8.  License Must Not Be a Specific to a Product 9.  License Must Not Restrict Other Software 10. License Must Be Technology Neutral

Source: www.opensource.org

OSS Definition

WHAT IS

CLOSED SOURCE

Source code of the software is not available, or the licensor does not grant the freedoms to use, modify, and distribute that are granted by

free software licenses.

- Source: Wikipedia

Who can afford to do professional work for nothing? What hobbyist can put 3-man years into programming,

finding all bugs, documenting his product and distribute for free? “

” - Bill Gates, 1976

- Bill Gates, 2005

There are fewer communists in the world today than there were. There are some new modern-day sort of communists

who want to get rid of the incentive for musicians and moviemakers and software makers under various guises.

They don't think that those incentives should exist

“”

Linux is a cancer that attaches itself in an intellectual property sense to everything it touches “

” - Steve Ballmer, 2001

WHAT PRIMARILY

DRIVES BOTH

Closed Source

 Status  Contribution  Social Capital  Ideology  In some cases:

Making money

Open Source

WHATS THIS GOT TO DO

WITH SOFTWARE

SECURITY

$

TIME

In an open source project, to make a mistake and have it known to the entire development community and your friends is mortifying to the extreme …. the last moment

before hitting the Enter key – to commit a change or send a patch out into the cold cruel world of your peers – is

the longest moment imaginable

“” - Michael H. Warfield

senior researcher Internet Security Systems

  Time to compromise   Speed at which flaws are fixed   Number of vulnerabilities   Major virus outbreaks   Trust

Factors to Consider

•  Time taken to compromise an un-patched Linux vs Windows XP machine

VS

Time to Compromise

3 Months* Linux

4 Minutes (pre SP2)* 18 Minutes (post SP2)**

Windows XP

Source: * Honeynet “Know Your Enemy: Trend Analysis” (2004) ** Symantec’s Internet Security Threat Report (2004)

WINNER

Time to Compromise

Bugs

Article “Apache avoids most security woes” found Apache’s last serious security problem was announced in January 1997

Article “IT bugs over IIS security” found Microsoft had reported 21 security bulletins over the period - 8 of which rated highly dangerous in comparison to 0 for Apache over the same period

Source: eWeek & www.dwheeler.com/oss_fs_why.html

Bugs

Fixing Flaws

VS VS

Fixing Flaws #1

Vendor Number Advisories Average Time to Resolve After

Discovery

31 11.2 days

61 16.1 days

8 89.5 days

Source: SecurityPortal WINNER

Fixing Flaws #1

VS

Fixing Flaws #2

The U.S. Department of Homeland Security’s Computer Emergency Readiness Team (CERT) recommended using browsers other than Microsoft Corp.’s Internet Explorer (IE) for security reasons. Microsoft had failed to patch a critical vulnerability for 9 months, and IE was being actively exploited in horrendous ways.

Source: US Department of Homeland Security, CERT

Fixing Flaws #2

According to Symantec Corp., Mozilla Firefox fixed its

vulnerabilities faster, and had fewer severe vulnerabilities than Internet Explorer

WINNER Source: Symantec, 2004

Fixing Flaws #2

VS

Fixing Flaws #3

eWeek Labs’ article “Open Source Quicker at Fixing Flaws” listed

specific examples of more rapid response. Serious flaw was

found in the Apache Web server; the Apache

Software Foundation made a patch available two days after the Web server hole was announced.

WINNER Source: eWeek, article: “Open Source Quicker at Fixing Flaws”

Fixing Flaws #3

Computer viruses are overwhelmingly more prevalent on Windows than any other system.

Virus Outbreaks

VS

Virus Outbreaks

Microsoft IIS features twice as often (49% vs.

23%) as a malware distributing server.

WINNER Source: Google, Online Security Blog (2007)

Virus Outbreaks #1

Who to Trust?

European Parliament calls “on the Commission and Member States to promote software projects whose source text is made

public (open-source software), as this is the only way of guaranteeing that no backdoors are built into programmes [and calls] on the Commission to lay down a standard for the level of security of e-mail software packages,

placing those packages whose source code has not been made public in the ‘least reliable’ category”

(5 September, 2001; 367 votes for, 159 against and 39 abstentions).

Source: European Parliament A5-0264/2001

Who to Trust? #1

•  April 2000 discovery Frontpage contained a deliberate “backdoor”

•  Remained undetected for more than 4 years

Source: TruSecure, Paper: Open Source Security

Who to Trust? #2

•  Some time between 1992 and 1994 •  “Back door” inserted in the DB server InterBase •  Vulnerability stayed for 6 years •  Borland released source code July 2000 as OSS/

FS •  Firebird launched •  5 months later CERT identified the vulnerability

and it was patched shortly after

Who to Trust? #3

Microsoft EULA - XP #4

EULA GPL Percentage of license which limits your rights

45% 27%

Percentage of the license which extends your rights

15% 51%

Percentage of license which limits your remedies

40% 22%

Source: Cybersource, a comparison of the GPL and the Microsoft EULA

Comparison EULA to GPL

Factor Open Source Closed Source

Time to compromise ✔ ✖

Number critical bugs ✔ ✖

Speed at fixing flaws ✔ ✖

Number of Viruses ✔ ✖

Who to trust ✔ ✖

The Tally

•  “Openness” of source code is 1 factor of many when considering security

•  Being open doesn’t automatically mean more secure

•  Underlying driving motives for open source can lead to better software development

•  History has shown that good open source projects tend to be more secure then their closed counterparts

•  It’s a question of who to put your trust in

Conclusion

Thank You &

Remember

•  Why open source? (David Wheeler) •  IBM, The security implications of open

source software •  Open source versus closed source

security (Jason Miller) •  Open source security: A look at the

security benefits of source code access (TruSecure)

52

References

Questions and Further Information

yossih@synaq.com

011 262 3632