In-Depth

Does Open-Source Software Mean Better Security?

Setting the open-source security record straight

• By Mathew Schwartz
• 11/10/2004

Open source is perceived by half of security experts at large enterprises as being at least as secure as commercial software, according to Forrester Research, which interviewed over 50 security experts at North American firms with over $1 billion in annual revenue. An additional 31 percent of those surveyed thought open source was more secure; 17 percent thought it was worse.

Advocates for open-source software and operating systems frequently argue it’s superior for multiple reasons: lower total cost of ownership, the dedicated community of security professionals who update and patch the code, rapid patching, and, overall, because it’s just more secure. Yet while there are multiple reasons for investing in open source, its relative security may not be a feature you can prove, and it may miss the point.

What feeds the surveyed security managers’ perceptions that open source is more secure? Emphasis is on the word “open,” with 69 percent of those surveyed lauding the open code base as a security strength. By contrast, only 27 percent saw it as a weakness.

Perceptions aside, keeping open source secure requires security managers to handle both the distributions and patching of open source software carefully; the software doesn’t magically repel attacks.

Linux Security Care and Feeding

A majority of those surveyed—65 percent—already use at least one version of Linux, and 60 percent plan to increase their Linux use. What drove them to use open source? In a word, cost. “Overall it is cheaper, even though overall you might have a higher learning curve,” says Vincent Danen, security update manager for MandrakeSoft, which makes a Linux distribution.

In other words, don’t forget to set aside extra money for training and maintaining open source skills. Open source advocates also recommend taking the long view. “Over the long run it’s much cheaper, because if you have the skills, you can maintain it yourself,” he notes.

When queried as to what would drive them away from open source, respondents’ top two responses were legal or security concerns. Picking up on those concerns, Forrester recommends organizations pick just one Linux distribution, then secure it by removing unneeded services. That’s no easy feat when a default installation means about 400 packages, and a full version almost 9,000. Yet having fewer packages means there are fewer patches to administer and fewer potential security holes.

Overall, to keep Linux secure, Forrester recommends companies do three things:

1. Have a contingency plan if an open-source project “forks” (development on something ceases or continues in a radically different form)

2. For organizations without extremely Linux-savvy staff for tackling vulnerabilities, select widely-used open source projects with copious documentation and likely free support

3. Only use the major Linux releases, to minimize potential support issues.

For patching in between major releases, Forrester advocates use of VMWare, a tool for virtually creating the production environment.

Security Smackdown: Linux versus Microsoft

Beyond securing open source, is there an argument to be made for whether it’s just inherently more secure than Windows? Controversially, earlier this year Forrester compared the relative security of Microsoft and Linux operating systems. Over the course of a year, it rated Debian, MandrakeSoft, Microsoft, Red Hat, and SUSE Linux’s platforms by how quickly vendors fixed public vulnerabilities, how severe the vulnerabilities were, and how well the patch actually fixed the problem.

“A lot of the open source versus closed source and Linux stuff is long on religious fervor and short on information, so what I intended to do was add a base of data so people could make rational decisions as opposed to what they believed,” says Koetzle. “I choose three criteria—responsiveness, relative severity, and thoroughness, but different things matter more to different organizations,” she says. “If you want security fixes absolutely as fast as you can get them, then you would make different choices than if you wanted security bulletins that worked a certain way.”

By her analysis, no one won or lost, though there were interesting results. In terms of high-vulnerability days of risk, Microsoft scored lowest at 22 days, with MandrakeSoft and SUSE coming in highest, at 78 and 82 days, respectively. Koetzle also noted, however, both Microsoft and MandrakeSoft—over the course of the year—began to more aggressively tackle higher-level vulnerabilities first.

When the Forrester report was released, Linux vendors denounced the findings. For example, many Linux distributions ship with multiple browsers, plus server software, and many real-world Linux installations simply don’t use all of software mentioned in various vulnerability announcements. Hence “it’s almost an impossible thing to compare. They’re not even different fruits; one’s a fruit and one’s a vegetable. That’s how far apart they are, I think,” says Danen.

What would be more useful, he says, is a comparison of the different Linux vendors’ responsiveness to vulnerabilities, rather than adding Microsoft to the mix, since doing so “may mislead [users] into thinking Microsoft is more secure than Linux, when maybe it isn’t. That report needed to be a lot broader than it was to be relevant,” says Danen.

In response, Koetzle recommends taking the numbers with a grain of salt. “One takeaway, which is profoundly unsexy, but which needs to be understood, is that your mileage will vary,” she says. “For any of these platforms, it can be operated securely, but deploying these platforms securely is up to you, and no amount of looking at the data on how fast people patch the vulnerabilities” will alone keep them secure, she notes.

Related Articles

Linux Gets Host Application Security
http://www.esj.com/news/article.aspx?EditorialsID=1060

Solving the Patch Management Headache
http://www.esj.com/news/article.aspx?EditorialsID=852