SlideShare a Scribd company logo

Open Source Security

W
William Chipman
1 of 12
Download to read offline
1 Is There Inherent Security in Open Source Operating Systems and Software? William Chipman Fall 2009 Dr. Schauble
2 Introduction The biggest idea in computing currently is open source software. Because most open source software (OSS) is available for free or very reduced cost, many individuals and companies would like to move the majority of their computing to the platform. While many people are just now hearing about OSS, it is not a new concept. “Free and open source software dates right back to the origins of the computing field, as far back in fact as the 1950's, when all software was free, and most of it open” (Kadura & Schryen, 2009, p. 2016). In order for people to feel comfortable moving to the OSS culture and feel that their assets are protected, the issue of security has to be addressed. This has been polarizing to both the OSS camp and the closed source software (CSS) camp. Both sides are adamant that their software is more secure than the other. This paper will present the arguments from both sides and attempt to provide an unbiased conclusion as to whether OSS, specifically open source operating systems are inherently more secure that the equivalent closed source operating systems. Definitions Open Source Software “Open source software, by definition, is any program or application that is freely distributed, non-platform specific -- and in which the programming code is open and visible” (Whitlock, 2001). Open source software, while offering access to the source code, can fall under several different license arrangement. Discussions of the different licensing agreements are beyond the scope of this paper. The delivery methods of OSS are also important. While the source code is available to all, many consumers are not
3 interested in compiling the code in order to build their systems; therefore, many open source software packages and operating systems are available as pre-compiled binaries. While Linux is the best known open source operating system (OSOS), it is not the only one. OpenBSD, OpenSolaris and Minix are all open source, and any thorough discussion of security issues and options will require a full picture of the entire open source market. Closed Source Software Closed source software (CSS) is software in which the source code is proprietary and only binaries are delivered to the customer. Where as OSS customers take ownership of the software, CSS customers only receive a license to use the software. The best known closed source operating systems (CSOS), the Microsoft Windows and Apple MacOS families of operating systems control the majority of the market and thus experience the majority of the security issues and risks. “Risk is defined as a combination of the likelihood of a successful attack on a system together with the damage to assets resulting from it” (Hoepmann & Jacobs, 2007, p. 80). Because of the large market share of the CSOS, they shoulder an uneven share of the risk on the operating system market. Security Systems Implementation in Open Source Software OSS and CSS implement security in similar fashions. Most software is designed and written in such a way as to minimize risk to the consumer. The goal of delivering a quality product to the consumer that is both useful and secure is common to both OSS and CSS. The big difference between the two is not in how the security is implemented but in how problems and shortfalls in security are found and the speed with which they
4 are fixed. “The tacit security of open source software comes from the concept of 'peer review,' borrowed from the scientific community” (Whitlock, 2001). Peer review is also known as 'many eyes'. OSS proponents claim that while OSS may have no fewer security flaws as CSS, having many more people reviewing the code ensures that security issues will be found faster and can thus be corrected more quickly. In addition to having more eyes on the code, “open source even enables several different and independent teams of people to evaluate the security of the system” (Hoepmann & Jacobs, 2007, p. 82). Not only are 'many eyes' looking for issues, but those eyes are also working independently and can have differing expertise. Through the use of these security finding protocols, an open source operating system in 2000 was deemed the most secure operating system available. OpenBSD had “a track record of three years without a remote security vulnerability and two years without a local host vulnerability”(Middleton, 2000). This is an incredible length of time in the computer field. Implementation in Closed Source Software Proponents of CSS have a different view of the situation. They believe that by distributing the source code for a piece of software, that software is more likely to be at risk. The rationale is that while there are many eyes on the code, a large number of those eyes may not be looking for the issues in order to alert the 'proper authorities'. These eyes are looking for security risks in order to exploit them either in the software that is being studied or in similar CSS applications. CSS proponents explain that “commercial software development is usually under centralized control [which] makes it easier to develop a roadmap for the product [and] control the architecture in a design phase”
5 (Karels, 2003, p. 49). This control leads to better designed software that is then released with fewer issues requiring attention in the future. CSS proponents argue that they also have 'many eyes' on their software, and that those eyes belong to professionals paid to find them. Their view is that, that while more eyes may have access to OSS code, the eyes on CSS have greater expertise to scour the code and the incentive find and address vulnerabilities. Expert opinions Pro Open Source Software Experts in the computing field have been weighing in on this issue for many years, and both sides have similar arguments about why their side is better. Most experts that side with the OSS community argue that because the source code is available to the masses, the code will not only be better written, but any risks will be identified in a timely fashion and corrected. According to Ralston, “one of the biggest perceived negatives cited by open source naysayers is the expanded security risks. As the number of developers examining code increases, however, the quantity of improvements achieved also rises - and these advancements are obtained more readily” (2009, p. 13). This is essentially the 'more eyes' argument. The second pro-OSS expert argument is that when the source code is available for review, it is more likely to be clean, readable and without intentional risks. Whitlock tells us that “when the source and changes to it are present in public for anyone to examine, it becomes personally incumbent on the developer to ensure the code is right and that it hasn't been tampered with by any unknown parties” (2001). Writing good code becomes a pride issue. Coders know that every decision they make in their code will be endlessly
6 reviewed and picked through. This leads to better design structures and less inherent risk according to this argument. A person writing code wants to write the best software product available because there is the potential for thousands of his peers to see every shortfall. The consensus of OSS experts is that “closed source leads not to true security but to a false sense of security” (Whitlock, 2001). Pro Closed Source Software “Lee Badger, principal computer scientist at Network Associates, … counter[s] that the many-eyes theory 'assumes people are motivated to examine even the mundane code'” (Whitlock, 2001). If the code is working well, then where is the motivation to perform intense code reviews? In addition to this, there is a lack of reward for the potential reviewers. In a CSS corporate setting, programmers are paid to review code and find potential security risks. Additionally, “many potential reviewers do not inspect the code because they believe that others have already done so” (Kadura & Schryen, 2009, p. 2018). Experts believe that there is an attitude of indifference in the OSS community towards code reviews. If a potential reviewer thinks that the code has been reviewed and corrected then they have no reason to waste their time looking through the code again. The second main expert opinion in favor of CSS is that the people building OSS lack the tools and skills to engineer truly secure software. McMillian explains that software, especially operating systems software, “needs to be built by people who understand security, using good tools and proper techniques, and then evaluated by people who know something about security” (McMillian, 2002). Without the proper background, it is unlikely that reviewers will find major security risks or address them in
7 a timely fashion. Kershaw sums up the overall expert opinion against OSS as “it is an open door and one would have to think it will be abused at some stage” (2009, p. 10). Dealing with vulnerabilities Open Source Software Dealing with vulnerabilities in OSS is also a subject for discussion between many experts in the industry. OSS's greatest asset for dealing with potential risk is in the fact that by distributing the source code, not only does the number of eyes on the code increase such that risks are found faster, but that those same people can immediately “write additions to the code … removing bugs” (Kershaw, 2009, p. 10). According to this principle, as the number of people that use the code increases, the number of potential developers increases. There is also a communal spirit to the OSS movement. Users that have the skills to be assets to the cause are motivated to aid in any way possible in order to make the software better and thus bring in more potential users and developers. The second major advantage of freely distributing the source code is that in the case of most major CSS packages, the source code is eventually leaked to the community. The ubiquitousness of Internet access worldwide has helped increase the illicit flow of closed source code, increasing the chance that the few people that have access to the code may be looking for risks in order to exploit, not fix. Kadura and Schryen explain that “in cases where a source code is only available to a few criminals, code hiding may be counterproductive” (2009, p. 2018). Criminals are looking for ways to exploit vulnerabilities, while few if any are looking at it in order to fix the risks. Closed Source Software
8 Vulnerabilities in CSS are looked at from a different perspective. The belief is that first there are fewer risks in CSS because it was designed and coded by professionals that better understand the potential for risk than the developers of open source code. Second, the risks are limited because the security flaws are hidden from sight and therefore not available to the general public. Criminals will have to work harder to find the vulnerabilities and exploit them. The idea is that an unknown issue is not an issue until someone discovers it. The major CSOS vendor Microsoft took the idea of risk management to a new level prior to the release of their flagship operating system: Windows Vista. “Microsoft, … challenged some of the world's most acknowledged computer experts to hack into Vista during its development period” (Ralston, 2009, p. 13). The idea was that while the Microsoft developers and testers had the expertise to build and test the new operating system, they lacked the volume of resources to truly test every aspect and potential risk. Future potential Many of the world's governments are getting on-board with the OSS movement. This will help garner more support in the future and get OSS the tools needed to compete on an equal playing field with CSS. “With President Obama's declared support for open source technology, greater adoption is anticipated” (Ralston, 2009, p. 13). This expanded adoption is already happening in the rest of the world. “It is interesting to note that the Venezuelan government made the shift to OSS in 2004, The Peruvians in 2005 and large national educational changes have been made in Spain, Germany, Brazil and Singapore” (Kershaw, 2009, p. 10). The United States Department of Homeland Security in 2006 set up a 3 year grant of over $1 million to Stanford University, Coverity and Symantec to
9 look for bugs in open source software (Evers, 2006). CSS companies have long had analysis tools that would look for potential security risks. These tools are an attempt by the US Government to level the field between OSS and CSS so that OSS code can be more secure prior to release and not have to rely solely on the OSS community to find risks after release. In the CSS world there is also a push back to slow the growth of OSS. “Microsoft still has the market grip on accepted and standardized business applications and so has no vested interest in seeing compatibility between OSS and its applications” (Kershaw, 2009, p. 46). Because of the stranglehold on the market that Microsoft and other CSS vendors have currently, gaining a foothold will be difficult for the OSS community without governmental support. Conclusion At this point in the OSS movement, it is difficult to draw complete conclusions as to how much more or less secure open source is than closed source. The arguments are there for both sides, but the empirical evidence is not there. Proponents of the open source operating system, Linux, will point out that the majority of exploits are targeted towards their competitor, Microsoft Windows. The reality of the argument is that with such a large market share, MS Windows is a bigger target. “What the discussion on software security specifically lacks is appropriate metrics, methodology and hard data” (Kadura & Schryen, 2009, p. 2017). Until OSS becomes more competitive with CSS, there is not enough data to determine conclusively which is fundamentally more secure. OSS is finally getting the recognition needed by the world to help gain market share and have the proper tools developed to make it a real competitor with its CSS
10 equivalent. The next few years will be the telling time for OSS. If the market share can be expanded to make it competitive with CSS, better conclusions will be able to be drawn as to the true security benefits of OSS and OSOS. Until that time, all conclusions about security will be speculative and subjective.
11 References Anonymous. (2009). Microsoft forms new open source foundation. Networkworld.com. Retrieved October 30, 2009 from ACM Digital Library. Evers, Joris. (2006). Homeland Security helps secure open-source code. CNET News. Retrieved October 31, 2009 from http://news.cnet.com/Homeland-Security-helps- secure-open-source-code/2100-1002_3-6025579.html Hoepman, Jaap-Henk and Jacobs, Bart. (2007). Increased security through open source. Communications of the ACM. 50(1). Retieved November 2, 2009 from ACM Digital Library. Karels, Michael. (2003). Commercializing open source software. ACM Queue. Retrieved October 27, 2009 from ACM Digital Library. Kadura, Rouven and Schryen, Guido. (2009). Open source vs. closed source software: towards measuring security. SAC '09. Retrieved October 31, 2009 from ACM Digital Library Kershaw, Patrick. (2009). Open Source Software – is it the new solution?. NZ Business. Retrieved November 1, 2009 from ProQuest database. McMillian, Robert. (2002). Security Expert gives operating systems poor security grade. Linux Planet. Retrieved October 30, 2009 from http://www.linuxplanet.com/linuxplanet/interviews/4495/1/ Middleton, James. (2000). Most secure operating system update uses Digital Signature Algorithm. Network IT Week. Retrieved October 30, 2009 from
12 http://www.v3.co.uk/networkitweek/news/2056770/secure-operating-system- update-uses-digital-signature-algorithm Ralston, Bruce. (2009). Open source expected to improve innovation. Health Management Technology. Retrieved October 29, 2009 from EBSCOHost database. Whitlock, Natalie. (2001). The security implications of open source software. IBM developerWorks Linux Technical Library. Retrieved October 30, 2009 from http://www.ibm.com/developerworks/linux/library/l-oss.html

Recommended

An Overview Of The Singularity Project
An Overview Of The Singularity ProjectAn Overview Of The Singularity Project
An Overview Of The Singularity Projectalanocu
 
Strong zero knowledge authentication based on the session keys (sask)
Strong zero knowledge authentication based on the session keys (sask)Strong zero knowledge authentication based on the session keys (sask)
Strong zero knowledge authentication based on the session keys (sask)IJNSA Journal
 
DISA's Open Source Corporate Management Information System (OSCMIS)
DISA's Open Source Corporate Management Information System (OSCMIS)DISA's Open Source Corporate Management Information System (OSCMIS)
DISA's Open Source Corporate Management Information System (OSCMIS)Joshua L. Davis
 
MPROVING THE PRIVACY-PRESERVING OF COVID-19 BLUETOOTH-BASED CONTACT TRACI...
MPROVING THE PRIVACY-PRESERVING OF COVID-19 BLUETOOTH-BASED CONTACT TRACI...MPROVING THE PRIVACY-PRESERVING OF COVID-19 BLUETOOTH-BASED CONTACT TRACI...
MPROVING THE PRIVACY-PRESERVING OF COVID-19 BLUETOOTH-BASED CONTACT TRACI...AIRCC Publishing Corporation
 
Cisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco Security
 
Security Models in Cellular Wireless Networks
Security Models in Cellular Wireless NetworksSecurity Models in Cellular Wireless Networks
Security Models in Cellular Wireless NetworksWilliam Chipman
 
Barcamp: Open Source and Security
Barcamp: Open Source and SecurityBarcamp: Open Source and Security
Barcamp: Open Source and SecurityJoshua L. Davis
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Black Duck by Synopsys
 

Recommended

An Overview Of The Singularity Project
An Overview Of The Singularity ProjectAn Overview Of The Singularity Project
An Overview Of The Singularity Projectalanocu
 
Strong zero knowledge authentication based on the session keys (sask)
Strong zero knowledge authentication based on the session keys (sask)Strong zero knowledge authentication based on the session keys (sask)
Strong zero knowledge authentication based on the session keys (sask)IJNSA Journal
 
DISA's Open Source Corporate Management Information System (OSCMIS)
DISA's Open Source Corporate Management Information System (OSCMIS)DISA's Open Source Corporate Management Information System (OSCMIS)
DISA's Open Source Corporate Management Information System (OSCMIS)Joshua L. Davis
 
MPROVING THE PRIVACY-PRESERVING OF COVID-19 BLUETOOTH-BASED CONTACT TRACI...
MPROVING THE PRIVACY-PRESERVING OF COVID-19 BLUETOOTH-BASED CONTACT TRACI...MPROVING THE PRIVACY-PRESERVING OF COVID-19 BLUETOOTH-BASED CONTACT TRACI...
MPROVING THE PRIVACY-PRESERVING OF COVID-19 BLUETOOTH-BASED CONTACT TRACI...AIRCC Publishing Corporation
 
Cisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco Security
 
Security Models in Cellular Wireless Networks
Security Models in Cellular Wireless NetworksSecurity Models in Cellular Wireless Networks
Security Models in Cellular Wireless NetworksWilliam Chipman
 
Barcamp: Open Source and Security
Barcamp: Open Source and SecurityBarcamp: Open Source and Security
Barcamp: Open Source and SecurityJoshua L. Davis
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Black Duck by Synopsys
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open SourceShane Coughlan
 
Open Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and SecurityOpen Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and SecurityJoshua L. Davis
 
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Black Duck by Synopsys
 
Open Source Insight: Global Response to COSRI 2017 Open Source Security and R...
Open Source Insight: Global Response to COSRI 2017 Open Source Security and R...Open Source Insight: Global Response to COSRI 2017 Open Source Security and R...
Open Source Insight: Global Response to COSRI 2017 Open Source Security and R...Black Duck by Synopsys
 
Astaro Orange Paper Oss Myths Dispelled
Astaro Orange Paper Oss Myths DispelledAstaro Orange Paper Oss Myths Dispelled
Astaro Orange Paper Oss Myths Dispelledlosalamos
 
Pattern based software patent
Pattern based software patentPattern based software patent
Pattern based software patentIAEME Publication
 
Pattern based software patent
Pattern based software patentPattern based software patent
Pattern based software patentiaemedu
 
Open vs Closed - Which is more secure?
Open vs Closed - Which is more secure? Open vs Closed - Which is more secure?
Open vs Closed - Which is more secure? SYNAQ
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
Open Source Insight: Apache Struts Exploits, Cloudera IPO Risks & the Next Cy...
Open Source Insight: Apache Struts Exploits, Cloudera IPO Risks & the Next Cy...Open Source Insight: Apache Struts Exploits, Cloudera IPO Risks & the Next Cy...
Open Source Insight: Apache Struts Exploits, Cloudera IPO Risks & the Next Cy...Black Duck by Synopsys
 
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...ESET Middle East
 
Prasoon
PrasoonPrasoon
PrasoonPrasoon
 
Secureview 3
Secureview 3Secureview 3
Secureview 3Felipe Prado
 
Avoiding Container Vulnerabilities
Avoiding Container VulnerabilitiesAvoiding Container Vulnerabilities
Avoiding Container VulnerabilitiesMighty Guides, Inc.
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Dinis Cruz
 
Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...
Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...
Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...Black Duck by Synopsys
 
Cannabis Software
Cannabis SoftwareCannabis Software
Cannabis SoftwareThe Canna Suite
 
Open Source Insight: Struts in VMware, Law Firm Cybersecurity, Hospital Data ...
Open Source Insight: Struts in VMware, Law Firm Cybersecurity, Hospital Data ...Open Source Insight: Struts in VMware, Law Firm Cybersecurity, Hospital Data ...
Open Source Insight: Struts in VMware, Law Firm Cybersecurity, Hospital Data ...Black Duck by Synopsys
 
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...Black Duck by Synopsys
 
Building your Open Source Security stack
Building your Open Source Security stackBuilding your Open Source Security stack
Building your Open Source Security stackHéctor Eryx Paredes Camacho
 

More Related Content

Similar to Open Source Security

(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open SourceShane Coughlan
 
Open Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and SecurityOpen Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and SecurityJoshua L. Davis
 
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Black Duck by Synopsys
 
Open Source Insight: Global Response to COSRI 2017 Open Source Security and R...
Open Source Insight: Global Response to COSRI 2017 Open Source Security and R...Open Source Insight: Global Response to COSRI 2017 Open Source Security and R...
Open Source Insight: Global Response to COSRI 2017 Open Source Security and R...Black Duck by Synopsys
 
Astaro Orange Paper Oss Myths Dispelled
Astaro Orange Paper Oss Myths DispelledAstaro Orange Paper Oss Myths Dispelled
Astaro Orange Paper Oss Myths Dispelledlosalamos
 
Pattern based software patent
Pattern based software patentPattern based software patent
Pattern based software patentIAEME Publication
 
Pattern based software patent
Pattern based software patentPattern based software patent
Pattern based software patentiaemedu
 
Open vs Closed - Which is more secure?
Open vs Closed - Which is more secure? Open vs Closed - Which is more secure?
Open vs Closed - Which is more secure? SYNAQ
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
Open Source Insight: Apache Struts Exploits, Cloudera IPO Risks & the Next Cy...
Open Source Insight: Apache Struts Exploits, Cloudera IPO Risks & the Next Cy...Open Source Insight: Apache Struts Exploits, Cloudera IPO Risks & the Next Cy...
Open Source Insight: Apache Struts Exploits, Cloudera IPO Risks & the Next Cy...Black Duck by Synopsys
 
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...ESET Middle East
 
Avoiding Container Vulnerabilities
Avoiding Container VulnerabilitiesAvoiding Container Vulnerabilities
Avoiding Container VulnerabilitiesMighty Guides, Inc.
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Dinis Cruz
 
Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...
Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...
Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...Black Duck by Synopsys
 
Open Source Insight: Struts in VMware, Law Firm Cybersecurity, Hospital Data ...
Open Source Insight: Struts in VMware, Law Firm Cybersecurity, Hospital Data ...Open Source Insight: Struts in VMware, Law Firm Cybersecurity, Hospital Data ...
Open Source Insight: Struts in VMware, Law Firm Cybersecurity, Hospital Data ...Black Duck by Synopsys
 
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...Black Duck by Synopsys
 

Similar to Open Source Security (20)

(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open Source
 
Open Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and SecurityOpen Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and Security
 
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
 
Open Source Insight: Global Response to COSRI 2017 Open Source Security and R...
Open Source Insight: Global Response to COSRI 2017 Open Source Security and R...Open Source Insight: Global Response to COSRI 2017 Open Source Security and R...
Open Source Insight: Global Response to COSRI 2017 Open Source Security and R...
 
Astaro Orange Paper Oss Myths Dispelled
Astaro Orange Paper Oss Myths DispelledAstaro Orange Paper Oss Myths Dispelled
Astaro Orange Paper Oss Myths Dispelled
 
Pattern based software patent
Pattern based software patentPattern based software patent
Pattern based software patent
 
Pattern based software patent
Pattern based software patentPattern based software patent
Pattern based software patent
 
Open vs Closed - Which is more secure?
Open vs Closed - Which is more secure? Open vs Closed - Which is more secure?
Open vs Closed - Which is more secure?
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
 
Open Source Insight: Apache Struts Exploits, Cloudera IPO Risks & the Next Cy...
Open Source Insight: Apache Struts Exploits, Cloudera IPO Risks & the Next Cy...Open Source Insight: Apache Struts Exploits, Cloudera IPO Risks & the Next Cy...
Open Source Insight: Apache Struts Exploits, Cloudera IPO Risks & the Next Cy...
 
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
 
Prasoon
PrasoonPrasoon
Prasoon
 
Secureview 3
Secureview 3Secureview 3
Secureview 3
 
Avoiding Container Vulnerabilities
Avoiding Container VulnerabilitiesAvoiding Container Vulnerabilities
Avoiding Container Vulnerabilities
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)
 
Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...
Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...
Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...
 
Cannabis Software
Cannabis SoftwareCannabis Software
Cannabis Software
 
Open Source Insight: Struts in VMware, Law Firm Cybersecurity, Hospital Data ...
Open Source Insight: Struts in VMware, Law Firm Cybersecurity, Hospital Data ...Open Source Insight: Struts in VMware, Law Firm Cybersecurity, Hospital Data ...
Open Source Insight: Struts in VMware, Law Firm Cybersecurity, Hospital Data ...
 
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...
Open Source Insight: 2017 Top 10 IT Security Stories, Breaches, and Predictio...
 
Building your Open Source Security stack
Building your Open Source Security stackBuilding your Open Source Security stack
Building your Open Source Security stack
 

Open Source Security

  • 1. 1 Is There Inherent Security in Open Source Operating Systems and Software? William Chipman Fall 2009 Dr. Schauble
  • 2. 2 Introduction The biggest idea in computing currently is open source software. Because most open source software (OSS) is available for free or very reduced cost, many individuals and companies would like to move the majority of their computing to the platform. While many people are just now hearing about OSS, it is not a new concept. “Free and open source software dates right back to the origins of the computing field, as far back in fact as the 1950's, when all software was free, and most of it open” (Kadura & Schryen, 2009, p. 2016). In order for people to feel comfortable moving to the OSS culture and feel that their assets are protected, the issue of security has to be addressed. This has been polarizing to both the OSS camp and the closed source software (CSS) camp. Both sides are adamant that their software is more secure than the other. This paper will present the arguments from both sides and attempt to provide an unbiased conclusion as to whether OSS, specifically open source operating systems are inherently more secure that the equivalent closed source operating systems. Definitions Open Source Software “Open source software, by definition, is any program or application that is freely distributed, non-platform specific -- and in which the programming code is open and visible” (Whitlock, 2001). Open source software, while offering access to the source code, can fall under several different license arrangement. Discussions of the different licensing agreements are beyond the scope of this paper. The delivery methods of OSS are also important. While the source code is available to all, many consumers are not
  • 3. 3 interested in compiling the code in order to build their systems; therefore, many open source software packages and operating systems are available as pre-compiled binaries. While Linux is the best known open source operating system (OSOS), it is not the only one. OpenBSD, OpenSolaris and Minix are all open source, and any thorough discussion of security issues and options will require a full picture of the entire open source market. Closed Source Software Closed source software (CSS) is software in which the source code is proprietary and only binaries are delivered to the customer. Where as OSS customers take ownership of the software, CSS customers only receive a license to use the software. The best known closed source operating systems (CSOS), the Microsoft Windows and Apple MacOS families of operating systems control the majority of the market and thus experience the majority of the security issues and risks. “Risk is defined as a combination of the likelihood of a successful attack on a system together with the damage to assets resulting from it” (Hoepmann & Jacobs, 2007, p. 80). Because of the large market share of the CSOS, they shoulder an uneven share of the risk on the operating system market. Security Systems Implementation in Open Source Software OSS and CSS implement security in similar fashions. Most software is designed and written in such a way as to minimize risk to the consumer. The goal of delivering a quality product to the consumer that is both useful and secure is common to both OSS and CSS. The big difference between the two is not in how the security is implemented but in how problems and shortfalls in security are found and the speed with which they
  • 4. 4 are fixed. “The tacit security of open source software comes from the concept of 'peer review,' borrowed from the scientific community” (Whitlock, 2001). Peer review is also known as 'many eyes'. OSS proponents claim that while OSS may have no fewer security flaws as CSS, having many more people reviewing the code ensures that security issues will be found faster and can thus be corrected more quickly. In addition to having more eyes on the code, “open source even enables several different and independent teams of people to evaluate the security of the system” (Hoepmann & Jacobs, 2007, p. 82). Not only are 'many eyes' looking for issues, but those eyes are also working independently and can have differing expertise. Through the use of these security finding protocols, an open source operating system in 2000 was deemed the most secure operating system available. OpenBSD had “a track record of three years without a remote security vulnerability and two years without a local host vulnerability”(Middleton, 2000). This is an incredible length of time in the computer field. Implementation in Closed Source Software Proponents of CSS have a different view of the situation. They believe that by distributing the source code for a piece of software, that software is more likely to be at risk. The rationale is that while there are many eyes on the code, a large number of those eyes may not be looking for the issues in order to alert the 'proper authorities'. These eyes are looking for security risks in order to exploit them either in the software that is being studied or in similar CSS applications. CSS proponents explain that “commercial software development is usually under centralized control [which] makes it easier to develop a roadmap for the product [and] control the architecture in a design phase”
  • 5. 5 (Karels, 2003, p. 49). This control leads to better designed software that is then released with fewer issues requiring attention in the future. CSS proponents argue that they also have 'many eyes' on their software, and that those eyes belong to professionals paid to find them. Their view is that, that while more eyes may have access to OSS code, the eyes on CSS have greater expertise to scour the code and the incentive find and address vulnerabilities. Expert opinions Pro Open Source Software Experts in the computing field have been weighing in on this issue for many years, and both sides have similar arguments about why their side is better. Most experts that side with the OSS community argue that because the source code is available to the masses, the code will not only be better written, but any risks will be identified in a timely fashion and corrected. According to Ralston, “one of the biggest perceived negatives cited by open source naysayers is the expanded security risks. As the number of developers examining code increases, however, the quantity of improvements achieved also rises - and these advancements are obtained more readily” (2009, p. 13). This is essentially the 'more eyes' argument. The second pro-OSS expert argument is that when the source code is available for review, it is more likely to be clean, readable and without intentional risks. Whitlock tells us that “when the source and changes to it are present in public for anyone to examine, it becomes personally incumbent on the developer to ensure the code is right and that it hasn't been tampered with by any unknown parties” (2001). Writing good code becomes a pride issue. Coders know that every decision they make in their code will be endlessly
  • 6. 6 reviewed and picked through. This leads to better design structures and less inherent risk according to this argument. A person writing code wants to write the best software product available because there is the potential for thousands of his peers to see every shortfall. The consensus of OSS experts is that “closed source leads not to true security but to a false sense of security” (Whitlock, 2001). Pro Closed Source Software “Lee Badger, principal computer scientist at Network Associates, … counter[s] that the many-eyes theory 'assumes people are motivated to examine even the mundane code'” (Whitlock, 2001). If the code is working well, then where is the motivation to perform intense code reviews? In addition to this, there is a lack of reward for the potential reviewers. In a CSS corporate setting, programmers are paid to review code and find potential security risks. Additionally, “many potential reviewers do not inspect the code because they believe that others have already done so” (Kadura & Schryen, 2009, p. 2018). Experts believe that there is an attitude of indifference in the OSS community towards code reviews. If a potential reviewer thinks that the code has been reviewed and corrected then they have no reason to waste their time looking through the code again. The second main expert opinion in favor of CSS is that the people building OSS lack the tools and skills to engineer truly secure software. McMillian explains that software, especially operating systems software, “needs to be built by people who understand security, using good tools and proper techniques, and then evaluated by people who know something about security” (McMillian, 2002). Without the proper background, it is unlikely that reviewers will find major security risks or address them in
  • 7. 7 a timely fashion. Kershaw sums up the overall expert opinion against OSS as “it is an open door and one would have to think it will be abused at some stage” (2009, p. 10). Dealing with vulnerabilities Open Source Software Dealing with vulnerabilities in OSS is also a subject for discussion between many experts in the industry. OSS's greatest asset for dealing with potential risk is in the fact that by distributing the source code, not only does the number of eyes on the code increase such that risks are found faster, but that those same people can immediately “write additions to the code … removing bugs” (Kershaw, 2009, p. 10). According to this principle, as the number of people that use the code increases, the number of potential developers increases. There is also a communal spirit to the OSS movement. Users that have the skills to be assets to the cause are motivated to aid in any way possible in order to make the software better and thus bring in more potential users and developers. The second major advantage of freely distributing the source code is that in the case of most major CSS packages, the source code is eventually leaked to the community. The ubiquitousness of Internet access worldwide has helped increase the illicit flow of closed source code, increasing the chance that the few people that have access to the code may be looking for risks in order to exploit, not fix. Kadura and Schryen explain that “in cases where a source code is only available to a few criminals, code hiding may be counterproductive” (2009, p. 2018). Criminals are looking for ways to exploit vulnerabilities, while few if any are looking at it in order to fix the risks. Closed Source Software
  • 8. 8 Vulnerabilities in CSS are looked at from a different perspective. The belief is that first there are fewer risks in CSS because it was designed and coded by professionals that better understand the potential for risk than the developers of open source code. Second, the risks are limited because the security flaws are hidden from sight and therefore not available to the general public. Criminals will have to work harder to find the vulnerabilities and exploit them. The idea is that an unknown issue is not an issue until someone discovers it. The major CSOS vendor Microsoft took the idea of risk management to a new level prior to the release of their flagship operating system: Windows Vista. “Microsoft, … challenged some of the world's most acknowledged computer experts to hack into Vista during its development period” (Ralston, 2009, p. 13). The idea was that while the Microsoft developers and testers had the expertise to build and test the new operating system, they lacked the volume of resources to truly test every aspect and potential risk. Future potential Many of the world's governments are getting on-board with the OSS movement. This will help garner more support in the future and get OSS the tools needed to compete on an equal playing field with CSS. “With President Obama's declared support for open source technology, greater adoption is anticipated” (Ralston, 2009, p. 13). This expanded adoption is already happening in the rest of the world. “It is interesting to note that the Venezuelan government made the shift to OSS in 2004, The Peruvians in 2005 and large national educational changes have been made in Spain, Germany, Brazil and Singapore” (Kershaw, 2009, p. 10). The United States Department of Homeland Security in 2006 set up a 3 year grant of over $1 million to Stanford University, Coverity and Symantec to
  • 9. 9 look for bugs in open source software (Evers, 2006). CSS companies have long had analysis tools that would look for potential security risks. These tools are an attempt by the US Government to level the field between OSS and CSS so that OSS code can be more secure prior to release and not have to rely solely on the OSS community to find risks after release. In the CSS world there is also a push back to slow the growth of OSS. “Microsoft still has the market grip on accepted and standardized business applications and so has no vested interest in seeing compatibility between OSS and its applications” (Kershaw, 2009, p. 46). Because of the stranglehold on the market that Microsoft and other CSS vendors have currently, gaining a foothold will be difficult for the OSS community without governmental support. Conclusion At this point in the OSS movement, it is difficult to draw complete conclusions as to how much more or less secure open source is than closed source. The arguments are there for both sides, but the empirical evidence is not there. Proponents of the open source operating system, Linux, will point out that the majority of exploits are targeted towards their competitor, Microsoft Windows. The reality of the argument is that with such a large market share, MS Windows is a bigger target. “What the discussion on software security specifically lacks is appropriate metrics, methodology and hard data” (Kadura & Schryen, 2009, p. 2017). Until OSS becomes more competitive with CSS, there is not enough data to determine conclusively which is fundamentally more secure. OSS is finally getting the recognition needed by the world to help gain market share and have the proper tools developed to make it a real competitor with its CSS
  • 10. 10 equivalent. The next few years will be the telling time for OSS. If the market share can be expanded to make it competitive with CSS, better conclusions will be able to be drawn as to the true security benefits of OSS and OSOS. Until that time, all conclusions about security will be speculative and subjective.
  • 11. 11 References Anonymous. (2009). Microsoft forms new open source foundation. Networkworld.com. Retrieved October 30, 2009 from ACM Digital Library. Evers, Joris. (2006). Homeland Security helps secure open-source code. CNET News. Retrieved October 31, 2009 from http://news.cnet.com/Homeland-Security-helps- secure-open-source-code/2100-1002_3-6025579.html Hoepman, Jaap-Henk and Jacobs, Bart. (2007). Increased security through open source. Communications of the ACM. 50(1). Retieved November 2, 2009 from ACM Digital Library. Karels, Michael. (2003). Commercializing open source software. ACM Queue. Retrieved October 27, 2009 from ACM Digital Library. Kadura, Rouven and Schryen, Guido. (2009). Open source vs. closed source software: towards measuring security. SAC '09. Retrieved October 31, 2009 from ACM Digital Library Kershaw, Patrick. (2009). Open Source Software – is it the new solution?. NZ Business. Retrieved November 1, 2009 from ProQuest database. McMillian, Robert. (2002). Security Expert gives operating systems poor security grade. Linux Planet. Retrieved October 30, 2009 from http://www.linuxplanet.com/linuxplanet/interviews/4495/1/ Middleton, James. (2000). Most secure operating system update uses Digital Signature Algorithm. Network IT Week. Retrieved October 30, 2009 from
  • 12. 12 http://www.v3.co.uk/networkitweek/news/2056770/secure-operating-system- update-uses-digital-signature-algorithm Ralston, Bruce. (2009). Open source expected to improve innovation. Health Management Technology. Retrieved October 29, 2009 from EBSCOHost database. Whitlock, Natalie. (2001). The security implications of open source software. IBM developerWorks Linux Technical Library. Retrieved October 30, 2009 from http://www.ibm.com/developerworks/linux/library/l-oss.html