The document discusses the security advantages and challenges of open source software (OSS) compared to proprietary software, emphasizing that neither is inherently more secure. It highlights the benefits of OSS, such as mass peer review, transparency, and faster response to vulnerabilities, while also addressing misconceptions about security through obscurity. The importance of OSS in the context of cybersecurity, especially for the U.S. Department of Defense, is underscored, explaining the potential negative impacts of restricting access to OSS.

1. Open Source Software (OSS) and Security MIL-OSS Dr. David A. Wheeler & Jim Barkley August 5, 2010 This presentation contains the views of the author and does not indicate endorsement by IDA or MITRE, the U.S. government, or the U.S. Department of Defense.

2. OSS & Security Extreme claims “OSS is always more secure”

3. “Proprietary is always more secure” Reality: Neither OSS nor proprietary always better OSS has many potential security advantages

4. Some specific OSS programs are more secure than their competitors Evaluate your OSS options!

5. OSS has many advantages for security (1) Mass peer review It really happens: Linux reviewed-by, OpenBSD, Mozilla Bug Bounty, Debian-audit, ... Multi-tool review (static & dynamic) Vulnerability Discovery and Remediation, Open Source Hardening Project (DHS/Coverity/Stanford)

6. Fortify’s “Java Open Review Project”

7. Linux “sparse”

8. OSS has many advantages for security (2) Better meets “open design” security principle [Saltzer & Schroeder] “ the protection mechanism must not depend on attacker ignorance” Security experts perceive OSS advantage Bruce Schneier: “demand OSS for anything related to security”

9. Vincent Rijmen (AES): “forces people to write more clear code & adhere to standards”

10. Whitfield Diffie: “it’s simply unrealistic to depend on secrecy for security” Survey of 6,344 software development managers favored OSS’ security [BZ Research]

11. Some OSS security statistics OSS systems scored better on security [Payne, Information Systems Journal 2002]

12. IE 21x more likely to get spyware than Firefox [U of Wash.]

13. Faster response: Firefox 37 days, Windows 134.5 days

14. Browser “unsafe” days in 2004: 98% Internet Explorer, 15% Mozilla/Firefox (half of Firefox’s MacOS-only)

15. Windows websites more vulnerable in practice 17% (GNU/Linux) 66% (Windows) Defaced 66.75% (Apache) 24.81% (IIS) Deployed websites (by name) 29.6% (GNU/Linux) 49.6% (Windows) Deployed Systems OSS Proprietary Category

16. DoD cyber security requires OSS “ One unexpected result was the degree to which Security depends on FOSS. Banning FOSS would remove certain types of infrastructure components (e.g., OpenBSD) that currently help support network security.

17. ... limit DoD access to—and overall expertise in—the use of powerful FOSS analysis and detection applications that hostile groups could use to help stage cyberattacks.

18. ... remove the demonstrated ability of FOSS applications to be updated rapidly in response to new types of cyberattack . Taken together, these factors imply that banning FOSS would have immediate, broad, and strongly negative impacts on the ability of many sensitive and security-focused DoD groups to defend against cyberattacks .” - Use of Free and Open Source Software in the US Dept. of Defense (MITRE, sponsored by DISA), Jan. 2, 2003

19. Why hiding source doesn’t help security Dynamic attacks don’t need source or binary Observing output from inputs sufficient for attack Presumes you can keep source secret Attackers may extract it or legitimately get it Static attacks can use pattern-matches against binaries

20. Source code can be regenerated by disassemblers & decompilers sufficiently to search for vulnerabilities