Report Rekindles Open Source vs. Microsoft Security Debate

By Antone Gonsalves

A recent analyst report claiming open-source software surpassed Microsoft as the major source of severe security flaws has rekindled the security debate over open source vs. proprietary software.

The Aberdeen Group says open-source software, including the popular Linux OS and a wide variety of applications, has pushed aside Microsoft as the "poster child" for security problems.

The IT market research firm makes its case based on numbers from the Computer Emergency Response Team, a federally funded research and development center at Carnegie Mellon University. For the first 10 months of the year, 16 out of 29 security advisories published by CERT were for open-source or Linux software. Only seven involved Microsoft products.

Virus and Trojan horse advisories affecting Linux, open-source, and Unix software products went from one in 2001 to two this year. Microsoft products had six last year, but zero this year.

Debate over the security of open-source software is sure to intensify, if companies start replacing Unix and Microsoft products with Linux and its freeware cousins. That hasn't happened yet. Sales of new Linux operating-system licenses declined 5 percent from 2000 to 2001. But revenue from the sale of Linux systems is projected to grow from $80 million last year to $280 million in 2006, says IDC Research. If open-source software grows in popularity, it will surely be the target of more hackers.

The way Aberdeen sees it, open-source software has a disadvantage in security because no single organization is responsible for releasing patches, Aberdeen analyst Eric Hemmendinger said. While Linux has a passionate development community ready to tackle problems quickly, most other freeware has fewer guardians. Therefore, IT organizations need to take these conditions under consideration in deciding whether or how to use open-source products. Users who are unprepared to fix vulnerabilities themselves are not ready to deploy freeware, Aberdeen asserts.

CERT believes Aberdeen drew too much from its numbers. The organization doesn't draw any conclusions from its advisories on the vulnerability of open-source software vs. Microsoft or any other seller of proprietary applications. Instead of comparisons, the group focuses on identifying and studying security problems it considers most serious based on CERT's own metrics. That covers about 20 percent of all known vulnerabilities, said Shawn Hernan, senior member of the CERT technical staff.

CERT argues that software security is not determined by whether an application is built in an open-source development environment or in the private laboratory of a corporate behemoth. Instead, software becomes vulnerable through coding mistakes and poor quality assurance.

"Most of the time -- well over 90 percent of the time -- vulnerabilities are equivalent to somebody forgetting to nail down the shingle that blew off the roof," Hernan said. "We tend to see the same kinds of mistakes being made over and over again. We see that in open-source software and in closed-source software."

CERT and Aberdeen do agree on one point: The two most popular security-related arguments for and against open-source software are both bunk.

Companies that make a living off closed-source code, such as Microsoft, claim their products are safer because hackers can't easily see what's under the covers. Open-source advocates argue that because the software is open to inspection by everyone, vulnerabilities can be discovered and fixed earlier.

Neither side can back its arguments with a definitive study.

"I would categorize this more of a religious argument," Hemmendinger said. "They're really expressing an opinion."

Hernan agrees.

"They are philosophical arguments that don't translate very well into real-world quality products."

But the bottom line in the security debate lies with potential customers like Warren Young, president and CTO of biotech company Neurome Inc. The head of the La Jolla, Calif., company said he would consider running his Oracle9i database and other applications on Linux -- if vendors could address his security concerns.

"Perception is nine-tenths reality," Young said. "They have to at least give the perception to the customer that the security is high, so that there's a certain level of comfort associated with purchasing the software."

Young will only buy software if the vendor guarantees patches in less than a day when a major vulnerability is discovered. Assuming that an open-source and a proprietary product are equal in quality, Young believes open-source software is still less secure because of its development process.

"Open source means it's an open book, and anyone that wants to understand how the process works can," Young said. "Understanding how something works, because it's open source, does give the bad guys an advantage in bypassing security."

The debate rages on.