Open VS Closed Source Software: Which is more secure? This is the presentation given at the quarterly "Free Beer Sessions" answering the age old question of whether open source software is more secure than their closed or proprietary counterparts. The presentation gives an overview of the philosophies and history driving both methodologies and provides case history examples to answer the question.

1. OPEN vs CLOSED: Which is more secure?
Yossi Hasson
http://twitter.com/yossihasson
yossih@synaq.com

2. OPEN
VS CLOSED
WHICH IS
MORE
SECURE

3. The debate
I’m closed.
I’m more
secure
Open is
better!

5. 5

7. Kerckhoff’s Principle
“the system must not require secrecy
and can be stolen by the enemy without
causing trouble.
”
- Auguste Kerckhoff, 1883

8. at SYNAQ
we believe that good
OPEN SOURCE projects
lead to better software
being developed and are
therefore generally more
secure

9. WHY

10. WHAT IS
OPEN
SOURCE

11. Richard Stallman
1983
“ Free software' is a matter of liberty, not price.
To understand the concept, think of ‘free’ as in ‘free speech’
”
not as in ‘free beer’

12. Linus Torvalds
1991
“
Hello everybody out there using minix. I'm doing a (free)
operating system (just a hobby, won't be big
”
and professional like gnu) for 386(486)AT clones.

13. Eric Raymond
1998
“
People are imperfect. What we have learned through the ages, though,
is that combining lots of people creates a better end result, ...
For some reason, we forgot that when it came to developing software.
”

14. OSS Definition
1. Free Redistribution
2. Source Code
3. Derived Works
4. Integrity of The Author’s Source Code
5. No Discrimination Against Persons or Groups
6. No Discrimination Against Fields of Endeavor
7. Distribution of License
8. License Must Not Be a Specific to a Product
9. License Must Not Restrict Other Software
10. License Must Be Technology Neutral
Source: www.opensource.org

15. WHAT
IS
CLOSED
SOURCE

16. Source code of the software is not
available, or the licensor does not
grant the freedoms to use, modify,
and distribute that are granted by
free software licenses.
- Source: Wikipedia

17. “ Who can afford to do professional work for nothing?
What hobbyist can put 3-man years into programming,
finding all bugs, documenting his product and distribute for free?
- Bill Gates, 1976

18. “
There are fewer communists in the world today than there were.
There are some new modern-day sort of communists
who want to get rid of the incentive for musicians and moviemakers
and software makers under various guises.
They don't think that those incentives should exist
- Bill Gates, 2005

19. “
Linux is a cancer that attaches itself in an intellectual
property sense to everything it touches
- Steve Ballmer, 2001

20. WHAT
PRIMARILY
DRIVES
BOTH

21. Closed Source

22. Open Source
 Status
 Contribution
 Social Capital
 Ideology
 In some cases:
Making money

23. WHATS THIS
GOT TO DO
WITH
SOFTWARE
SECURITY

24. $
TIME

25. “
In an open source project, to make a mistake and have it
known to the entire development community and your
friends is mortifying to the extreme …. the last moment
before hitting the Enter key – to commit a change or send
a patch out into the cold cruel world of your peers – is
”
the longest moment imaginable
- Michael H. Warfield
senior researcher Internet Security Systems

27. Factors to Consider
 Time to compromise
 Speed at which flaws are fixed
 Number of vulnerabilities
 Major virus outbreaks
 Trust

28. Time to Compromise
• Time taken to compromise an un-patched
Linux vs Windows XP machine
VS

29. Time to Compromise
Linux Windows XP
3 Months* 4 Minutes (pre SP2)*
18 Minutes (post SP2)**
WINNER
Source:
* Honeynet “Know Your Enemy: Trend Analysis” (2004)
** Symantec’s Internet Security Threat Report (2004)

30. Bugs

31. Bugs
Article “Apache avoids most security woes” found
Apache’s last serious security problem was
announced in January 1997
Article “IT bugs over IIS security” found Microsoft had
reported 21 security bulletins over the period - 8 of
which rated highly dangerous in comparison to 0
for Apache over the same period
Source:
eWeek &
www.dwheeler.com/oss_fs_why.html

32. Fixing Flaws

33. Fixing Flaws #1
VS VS

34. Fixing Flaws #1
Vendor Number Advisories Average Time to
Resolve After
Discovery
31 11.2 days
61 16.1 days
8 89.5 days
Source: SecurityPortal
WINNER

35. Fixing Flaws #2
VS

36. Fixing Flaws #2
The U.S. Department of Homeland Security’s Computer
Emergency Readiness Team (CERT)
recommended using browsers other than
Microsoft Corp.’s Internet Explorer (IE) for security
reasons. Microsoft had failed to patch a critical
vulnerability for 9 months, and IE was being
actively exploited in horrendous ways.
Source: US Department of Homeland Security, CERT

37. Fixing Flaws #2
Mozilla Firefox fixed its
According to Symantec Corp.,
vulnerabilities faster, and had fewer severe
vulnerabilities than Internet Explorer
WINNER
Source: Symantec, 2004

38. Fixing Flaws #3
VS

39. Fixing Flaws #3
eWeek Labs’ article “Open Source Quicker at Fixing Flaws” listed
Serious flaw was
specific examples of more rapid response.
found in the Apache Web server; the Apache
Software Foundation made a patch available two
days after the Web server hole was announced.
WINNER
Source: eWeek, article: “Open Source Quicker at Fixing Flaws”

40. Virus Outbreaks
Computer viruses are overwhelmingly more
prevalent on Windows than any other system.

41. Virus Outbreaks
VS

42. Virus Outbreaks #1
Microsoft IIS features twice as often (49% vs.
23%) as a malware distributing server.
WINNER
Source: Google, Online Security Blog (2007)

43. Who to Trust?

44. Who to Trust? #1
European Parliament calls “on the Commission and Member States to
promote software projects whose source text is made
public (open-source software), as this is the only way of
guaranteeing that no backdoors are built into
programmes [and calls] on the Commission to lay down a standard
for the level of security of e-mail software packages,
placing those packages whose source code has not been
made public in the ‘least reliable’ category”
(5 September, 2001; 367 votes for, 159 against and 39 abstentions).
Source: European Parliament A5-0264/2001

45. Who to Trust? #2
• April 2000 discovery Frontpage contained a
deliberate “backdoor”
• Remained undetected for more than 4 years
Source: TruSecure, Paper: Open Source Security

46. Who to Trust? #3
• Some time between 1992 and 1994
• “Back door” inserted in the DB server InterBase
• Vulnerability stayed for 6 years
• Borland released source code July 2000 as OSS/
FS
• Firebird launched
• 5 months later CERT identified the vulnerability
and it was patched shortly after

47. Microsoft EULA - XP #4

48. Comparison EULA to GPL
EULA GPL
Percentage of license which limits 45% 27%
your rights
Percentage of the license which 15% 51%
extends your rights
Percentage of license which limits 40% 22%
your remedies
Source: Cybersource, a comparison of the GPL and the Microsoft EULA

49. The Tally
Factor Open Source Closed Source
Time to compromise ✔ ✖
Number critical bugs ✔ ✖
Speed at fixing flaws ✔ ✖
Number of Viruses ✔ ✖
Who to trust ✔ ✖

50. Conclusion
• “Openness” of source code is 1 factor of
many when considering security
• Being open doesn’t automatically mean
more secure
• Underlying driving motives for open source
can lead to better software development
• History has shown that good open source
projects tend to be more secure then their
closed counterparts
• It’s a question of who to put your trust in

51. Thank You
&
Remember

52. References
• Why open source? (David Wheeler)
• IBM, The security implications of open
source software
• Open source versus closed source
security (Jason Miller)
• Open source security: A look at the
security benefits of source code access
(TruSecure)
5
2

53. Questions and Further Information
yossih@synaq.com
011 262 3632