Is open-source really more secure?

From: Firstname Lastname (Todd_Thomas_at_DOH.STATE.FL.US)
Date: 07/12/04

  • Next message: Drew Copley: "Re: HijackClick 3" 
    Date:         Mon, 12 Jul 2004 10:51:04 -0400
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Since well before the current Mozilla vs IE debate, open-source folks
    have been loudly proclaiming that their way is better and more secure
    than closed-source vendors like Microsoft. Typically, there is not much
    dissention from this position, but I think there should be. There are
    several contentions that open-source supporters make that are taken as
    fact when they are really lacking objective evidence in support of the
    claims. Here are 3 bigs ones that bear more discussion.

    1. "Open-source developers are inherently superior because they do
    it from a 'love' for their subject rather than for money." --- Honestly
    I have no idea why people even make this claim. It cannot truly be
    proven and is pretty prejudiced to boot. I know plenty of people who
    LOVE what they do and happen to get paid for it. In fact, I'd bet most
    people who work on open-source applications would leap at the chance to
    give up whatever job they have to get paid to work on the applications
    they love. No, simply because one group of developers is paid and one is
    does not logically lead to the conclusion that the free code is better,
    or more secure than the code that is paid for. I welcome any attempts to
    prove otherwise.

    2. "Open-source code is more secure because so many more "eyes"
    look at it and study it for flaws." --- Really? Does every person who
    looks at the code study it for flaws? Aren't some of the folks looking
    for ways to add things to it? Is EVERY piece of the code studied? I once
    spoke to an open-source supporter who admitted to me that some code is
    more interesting than other code and that there are definitely pieces of
    the applications that get much less scrutiny than the rest. The
    assumption of the argument is that all these "eyes" are looking at
    everything equally and that is just not the case. One could argue that
    it is more likely that EVERY piece of an MS application is more likely
    to be looked at than every piece of open-source code because someone at
    Microsoft is paid to look at it. More eyes does not necessarily mean
    more secure if those eyes are ignoring some of the code.

    3. "The fact that so many more security problems arise with IE
    versus Mozilla proves open-source is more secure." --- Maybe yes and
    maybe no. Microsoft is a victim of its own success to a point here.
    Every time there is a problem with IE, the entire world hears about it.
    There are entire organizations and mechanisms to report such flaws to
    the community. Worse, Microsoft has to be careful when they "fix"
    problems because of the potential that they could cause a customer great
    harm by breaking something else that is not even their software. MS has
    to report when they issue a patch and test it for some period of time
    before releasing it.

    The open-source software is under no such constraints. How many security
    flaws are fixed silently by the open-source community? Don't the folks
    at places like Mozilla have a vested interest in fixing these things
    without publicity? Is anyone trying to scrutinize every change they
    make? In addition, does Mozilla really need to worry about compatibility
    issues when they fix something? Since you don't buy Mozilla, they have
    no "customers" as such and are not legally at risk if they "fix"
    something and break someone's mission critical application. In short,
    there are more reported flaws with things like IE, but that does not
    mean Mozilla does not have just as many.

    There are unquestionably some advantages to open-source software versus
    closed-source software, but I remain unconvinced that the advantages are
    as great as claimed. At least with regard to the 3 points I have made
    above, I think there is some doubt that an advantage exists. I remain
    more than willing to be convinced that these doubts are unfounded.

    Todd Thomas
    Disaster Preparedness Consultant
    MA, MCSE, CCNP, CNE, A+, CISSP
    Florida Dept of Health

    Mission: To promote and protect the health and safety of all people in
    Florida through the delivery of quality public health services and
    promotion of health care standards.

    Please note: Florida has a very broad public records law. Most written
    communications to or from state officials regarding state business are
    public records available to the public and media upon request. Your
    e-mail communications may therefore be subject to public disclosure.

    -----
    NTBugtraq Editor's Note:

    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
    -----

  • Next message: Drew Copley: "Re: HijackClick 3"