Embed Size (px)
DESCRIPTION
Open VS Closed Source Software: Which is more secure? This is the presentation given at the quarterly "Free Beer Sessions" answering the age old question of whether open source software is more secure than their closed or proprietary counterparts. The presentation gives an overview of the philosophies and history driving both methodologies and provides case history examples to answer the question.
Citation preview
OPEN VS CLOSED
WHICH IS MORE
SECURE
I’m closed. I’m more
secure Open is better!
The debate
5
the system must not require secrecy and can be stolen by the enemy without
causing trouble. “
” - Auguste Kerckhoff, 1883
Kerckhoff’s Principle
at SYNAQ we believe that good
OPEN SOURCE projects
lead to better software being developed and are
therefore generally more secure
WHY
WHAT IS OPEN
SOURCE
1983
Free software' is a matter of liberty, not price. To understand the concept, think of ‘free’ as in ‘free speech’
not as in ‘free beer’ “
”
Richard Stallman
Hello everybody out there using minix. I'm doing a (free) operating system (just a hobby, won't be big
and professional like gnu) for 386(486)AT clones. “
”
1991
Linus Torvalds
1998
People are imperfect. What we have learned through the ages, though, is that combining lots of people creates a better end result, ...
For some reason, we forgot that when it came to developing software.
” “
Eric Raymond
1. Free Redistribution 2. Source Code 3. Derived Works 4. Integrity of The Author’s Source Code 5. No Discrimination Against Persons or Groups 6. No Discrimination Against Fields of Endeavor 7. Distribution of License 8. License Must Not Be a Specific to a Product 9. License Must Not Restrict Other Software 10. License Must Be Technology Neutral
Source: www.opensource.org
OSS Definition
WHAT IS
CLOSED SOURCE
Source code of the software is not available, or the licensor does not grant the freedoms to use, modify, and distribute that are granted by
free software licenses.
- Source: Wikipedia
Who can afford to do professional work for nothing? What hobbyist can put 3-man years into programming,
finding all bugs, documenting his product and distribute for free? “
” - Bill Gates, 1976
- Bill Gates, 2005
There are fewer communists in the world today than there were. There are some new modern-day sort of communists
who want to get rid of the incentive for musicians and moviemakers and software makers under various guises.
They don't think that those incentives should exist
“”
Linux is a cancer that attaches itself in an intellectual property sense to everything it touches “
” - Steve Ballmer, 2001
WHAT PRIMARILY
DRIVES BOTH
Closed Source
Status Contribution Social Capital Ideology In some cases:
Making money
Open Source
WHATS THIS GOT TO DO
WITH SOFTWARE
SECURITY
$
TIME
In an open source project, to make a mistake and have it known to the entire development community and your friends is mortifying to the extreme …. the last moment
before hitting the Enter key – to commit a change or send a patch out into the cold cruel world of your peers – is
the longest moment imaginable
“” - Michael H. Warfield
senior researcher Internet Security Systems
Time to compromise Speed at which flaws are fixed Number of vulnerabilities Major virus outbreaks Trust
Factors to Consider
• Time taken to compromise an un-patched Linux vs Windows XP machine
VS
Time to Compromise
3 Months* Linux
4 Minutes (pre SP2)* 18 Minutes (post SP2)**
Windows XP
Source: * Honeynet “Know Your Enemy: Trend Analysis” (2004) ** Symantec’s Internet Security Threat Report (2004)
WINNER
Time to Compromise
Bugs
Article “Apache avoids most security woes” found Apache’s last serious security problem was announced in January 1997
Article “IT bugs over IIS security” found Microsoft had reported 21 security bulletins over the period - 8 of which rated highly dangerous in comparison to 0 for Apache over the same period
Source: eWeek & www.dwheeler.com/oss_fs_why.html
Bugs
Fixing Flaws
VS VS
Fixing Flaws #1
Vendor Number Advisories Average Time to Resolve After
Discovery
31 11.2 days
61 16.1 days
8 89.5 days
Source: SecurityPortal WINNER
Fixing Flaws #1
VS
Fixing Flaws #2
The U.S. Department of Homeland Security’s Computer Emergency Readiness Team (CERT) recommended using browsers other than Microsoft Corp.’s Internet Explorer (IE) for security reasons. Microsoft had failed to patch a critical vulnerability for 9 months, and IE was being actively exploited in horrendous ways.
Source: US Department of Homeland Security, CERT
Fixing Flaws #2
According to Symantec Corp., Mozilla Firefox fixed its
vulnerabilities faster, and had fewer severe vulnerabilities than Internet Explorer
WINNER Source: Symantec, 2004
Fixing Flaws #2
VS
Fixing Flaws #3
eWeek Labs’ article “Open Source Quicker at Fixing Flaws” listed
specific examples of more rapid response. Serious flaw was
found in the Apache Web server; the Apache
Software Foundation made a patch available two days after the Web server hole was announced.
WINNER Source: eWeek, article: “Open Source Quicker at Fixing Flaws”
Fixing Flaws #3
Computer viruses are overwhelmingly more prevalent on Windows than any other system.
Virus Outbreaks
VS
Virus Outbreaks
Microsoft IIS features twice as often (49% vs.
23%) as a malware distributing server.
WINNER Source: Google, Online Security Blog (2007)
Virus Outbreaks #1
Who to Trust?
European Parliament calls “on the Commission and Member States to promote software projects whose source text is made
public (open-source software), as this is the only way of guaranteeing that no backdoors are built into programmes [and calls] on the Commission to lay down a standard for the level of security of e-mail software packages,
placing those packages whose source code has not been made public in the ‘least reliable’ category”
(5 September, 2001; 367 votes for, 159 against and 39 abstentions).
Source: European Parliament A5-0264/2001
Who to Trust? #1
• April 2000 discovery Frontpage contained a deliberate “backdoor”
• Remained undetected for more than 4 years
Source: TruSecure, Paper: Open Source Security
Who to Trust? #2
• Some time between 1992 and 1994 • “Back door” inserted in the DB server InterBase • Vulnerability stayed for 6 years • Borland released source code July 2000 as OSS/
FS • Firebird launched • 5 months later CERT identified the vulnerability
and it was patched shortly after
Who to Trust? #3
Microsoft EULA - XP #4
EULA GPL Percentage of license which limits your rights
45% 27%
Percentage of the license which extends your rights
15% 51%
Percentage of license which limits your remedies
40% 22%
Source: Cybersource, a comparison of the GPL and the Microsoft EULA
Comparison EULA to GPL
Factor Open Source Closed Source
Time to compromise ✔ ✖
Number critical bugs ✔ ✖
Speed at fixing flaws ✔ ✖
Number of Viruses ✔ ✖
Who to trust ✔ ✖
The Tally
• “Openness” of source code is 1 factor of many when considering security
• Being open doesn’t automatically mean more secure
• Underlying driving motives for open source can lead to better software development
• History has shown that good open source projects tend to be more secure then their closed counterparts
• It’s a question of who to put your trust in
Conclusion
Thank You &
Remember
• Why open source? (David Wheeler) • IBM, The security implications of open
source software • Open source versus closed source
security (Jason Miller) • Open source security: A look at the
security benefits of source code access (TruSecure)
52
References
