Re: Why open source software is more secure



On Thu, May 08, 2008 at 08:14:17AM -0700, Ali, Saqib wrote:
On Thu, May 8, 2008 at 1:41 AM, sapran <sapran@xxxxxxxxx> wrote:
The main goal of a software vendor is not to bring you a _good_ product, but to sell it you.

As much as I like opensource, I have to say what you stated above is
incorrect. There is a disconnect. The software vendor's goal is to
sell software (like any other business), but to do that it has to
build a reputation. And it can not build a good reputation by
consistently producing bad (insecure) software.

More specifically:

The software vendor's goal is to sell software. To do so, it must create
an impression of value in the minds of the targeted customer base. There
are a number of ways to do this, and any successful vendor will probably
make use of two or three at least. There are of course certain areas of
perceived value for which it is critically important to avoid appearing
to have *zero* value, and one of them is security.

Some of the most successful software vendors in the world go no further
than giving an impression that their software can be made "secure enough"
for most purposes by the customer, regardless of how secure it is
perceived to be by default. This shows just how unimportant most people
view the matter of security -- they figure that something that isn't
really secure by default, but can be made "secure enough" for some
minimal value of $enough, is all that's needed in that respect. This is
why, for instance, the single most popular desktop operating system in
the world is one whose vendor utterly fails to provide proper support for
security patching when it comes to mobile replicating malware:

http://blogs.techrepublic.com.com/security/?p=286

The benefits of open source software are twofold, really, with a
sub-benefit to one of those two main benefits, when it comes to security:

1. The primary goal of commercial software vendors is to sell software.
While the high quality of the software is a potential factor in making
the software more easily sold to the masses, it is not the only factor,
and there are other factors that directly compete with quality for the
vendor's investment. As such, there's usually a (non-specific)
practical upper limit to how good the software can be. With open
source software, on the other hand, the individually interested
developers (as opposed to those who get involved solely at the behest
of commercial entities that want to sell open source software) are
primarily focused on making the software as good as it can be. Reasons
for that include using the quality of the software as personal
reputation builder and, more importantly, wanting the software to be as
good as possible because the developers themselves typically use it --
the main reason many of them got into developing it in the first place.

2. Primarily, the "many eyes" principle of security comes into play in
the development of open source software, ensuring the improvement of
its security characteristics over time. Secondarily, something related
to Kerckhoffs' Principle comes into play, "forcing" the developers of
open source software to work toward software whose security
characteristics are not dependent on fallacious security concepts like
"security through obscurity". A couple of relevant links:

Kerckhoffs' Principle --
http://en.wikipedia.org/wiki/Kerckhoffs'_principle

Security Through Visibility --
http://articles.techrepublic.com.com/5100-10878_11-6064734.html

The long and the short of it is that commercial software vendors, in
general, are neither significantly motivated to produce secure, high
quality software, nor entirely unmotivated to produce secure, high
quality software. Their actual motivations lie somewhere between the two
extremes, and that level of motivation can vary wildly between those
extremes. The benefit to open source software is not that its developers
are motivated to create secure, high quality software while commercial
software vendors' developers are not, but that open source software
developers tend strongly to have a more inherent motivation toward
developing secure, high quality software. This is largely because for
open source software developers, secure, high quality software is an end
in itself, while for commercial software vendors, secure, high quality
software is just one means of many toward an indirectly related end.

It's all a matter of tendencies, though, and not of absolute truths.

There is one other very important factor, though. With closed source
software, there is also something of an implicit motivation to violate
the security of the end user -- because the obscurity of the system's
inner workings lends itself to a sense that the vendor can "get away
with" something that can, if the vendor is clever enough, be used as
leverage toward greater market share.

--
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
Rudy Giuliani: "You have free speech so I can be heard."

Attachment: pgpUPfgeB8Hs9.pgp
Description: PGP signature



Relevant Pages

  • RE: Why Easy To Use Software Is Putting You At Risk
    ... Anyone who has been working with computers for a long time ... because DNS does not configure properly or security ... Is It Also Secure ... Microsoft developers. ...
    (Security-Basics)
  • Why Easy To Use Software Is Putting You At Risk
    ... Anyone who has been working with computers for a long time will have noticed ... because DNS does not configure properly or security permissions are relaxed ... Is It Also Secure ... guarantee that no one really knows for sure, not even Microsoft developers. ...
    (Security-Basics)
  • RE: Why Easy To Use Software Is Putting You At Risk
    ... Can Easy To Use Software Also Be Secure ... Anyone who has been working with computers for a long time will have noticed ... because DNS does not configure properly or security permissions are relaxed ... guarantee that no one really knows for sure, not even Microsoft developers. ...
    (Security-Basics)
  • RE: Why Easy To Use Software Is Putting You At Risk
    ... So even if you do not want the piece of paper - education never hurts. ... Can Easy To Use Software Also Be Secure ... because DNS does not configure properly or security permissions are ... easier to work with then they use to is developers have created ...
    (Security-Basics)
  • Re: Ten least secure programs
    ... it's probably better you leave the topic alone ... I said I do not have security issues with the programs I code. ... I didn't realize you were a Linux user, ... > the most widely used and secure UNIX flavors? ...
    (Security-Basics)