Open source security ‘not good enough’

Open source software will have to lift its security game if it is to match that of proprietary software, particularly if its use proliferates, according to representatives from global information security companies.

Asia Pacific vice president of security giant Symantec, Vincent Steckler, said open source is “not the silver bullet”.

“The reason viruses are written for Microsoft is because most people use it,” Steckler said. “If 90 percent [of software] was open source there would be just as many attacks, only worse. Imagine smart hackers with [access to] source code.”

Speaking at IDC’s SecurityVision 2004 conference in Sydney, Steckler compared the motives of operating system intruders and virus writers to that of the infamous New York bank robber Willy Sutton who, when asked why he robbed banks, said, “’Cause that’s where all the money is”. Steckler said, “Replacing Microsoft with open source won’t solve the security problem.

“Why would anyone write viruses for OS/2?”

SurfControl’s technical manager for e-mail products and technology, Richard Cullen, seconded this argument of increased proliferation leading to more security issues.

Open source and Linux hasn’t seen as many exploits because of market penetration,” Cullen said. “There are viruses for Linux but Microsoft is a bigger target.”

On the topic of source code access, Cullen said: “Recently, some of Microsoft’s source code was leaked and an exploit was discovered within days. This happened because the code was open.”

NSW Fisheries’ principal IT services manager Gregory Krasovitsky agreed that market penetration is an important factor when comparing open versus closed source security.

“We don’t see as many [security] patches for open source because of its market penetration and security companies are writing software for 90 percent of the market,” Krasovitsky said.

“For example, Debian (Debian GNU/Linux) has left vulnerabilities there and didn’t release any patches for them.”

Krasovitsky, who participates in state government open source and security forums, said it is “very clear” that the number of patches for Microsoft is more stable than that for open source software, which are growing rapidly.

"Open source and community-driven security is not good enough,” he said. “I have a funny feeling that open source is now being developed by major vendors like Novell and IBM. In a year or two open source will start matching the penetration of Microsoft. Then we will see more patches being developed.”

Global information security vendor Check Point made a conscious decision to adopt the open source Linux operating system and that it is up to the task, according to the company’s Australia and New Zealand regional director Scott Ferguson.

“We are proud of the fact that we use Linux and it is delivered in a ‘hardened’ way,” Ferguson said. “We are also confident that it is more secure than Microsoft [Windows] or other proprietary operating systems.”

Show Comments