Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
OPEN vs CLOSED: Which is more secure?
Yossi Hasson
http://twitter.com/yossihasson
yossih@synaq.com
OPEN
VS CLOSED
  WHICH IS
     MORE
   SECURE
The debate
I’m closed.
  I’m more
    secure
               Open is
                better!
5
Kerckhoff’s Principle




           “the system must not require secrecy
           and can be stolen by the enemy withou...
at SYNAQ
 we believe that good
OPEN SOURCE projects
lead to better software
  being developed and are
 therefore generally...
WHY
WHAT IS
  OPEN
SOURCE
Richard Stallman




 1983


  “   Free software' is a matter of liberty, not price.
To understand the concept, think of ‘...
Linus Torvalds




                                           1991



“
Hello everybody out there using minix. I'm doing a...
Eric Raymond




   1998




“
People are imperfect. What we have learned through the ages, though,
    is that combining ...
OSS Definition
1.  Free Redistribution
2.  Source Code
3.  Derived Works
4.  Integrity of The Author’s Source Code
5.  No ...
WHAT
     IS
CLOSED
SOURCE
Source code of the software is not
available, or the licensor does not
grant the freedoms to use, modify,
and distribute t...
“      Who can afford to do professional work for nothing?
      What hobbyist can put 3-man years into programming,
findi...
“
 There are fewer communists in the world today than there were.
    There are some new modern-day sort of communists
who...
“
Linux is a cancer that attaches itself in an intellectual
       property sense to everything it touches
               ...
WHAT
PRIMARILY
   DRIVES
    BOTH
Closed Source
Open Source

 Status
 Contribution
 Social Capital
 Ideology
 In some cases:
  Making money
WHATS THIS
 GOT TO DO
      WITH
 SOFTWARE
  SECURITY
$
TIME
“
In an open source project, to make a mistake and have it
  known to the entire development community and your
 friends i...
Factors to Consider

  Time to compromise
  Speed at which flaws are fixed
  Number of vulnerabilities
  Major virus o...
Time to Compromise

•  Time taken to compromise an un-patched
   Linux vs Windows XP machine




                VS
Time to Compromise

    Linux                                     Windows XP
   3 Months*                            4 Min...
Bugs
Bugs
Article “Apache avoids most security woes” found
Apache’s last serious security problem was
announced in January 1997...
Fixing Flaws
Fixing Flaws #1




     VS           VS
Fixing Flaws #1
           Vendor        Number Advisories   Average Time to
                                             ...
Fixing Flaws #2




             VS
Fixing Flaws #2


  The U.S. Department of Homeland Security’s Computer
  Emergency Readiness Team (CERT)
  recommended us...
Fixing Flaws #2

                     Mozilla Firefox fixed its
 According to Symantec Corp.,
 vulnerabilities faster, and...
Fixing Flaws #3




             VS
Fixing Flaws #3
  eWeek Labs’ article “Open Source Quicker at Fixing Flaws” listed
                                       ...
Virus Outbreaks




    Computer viruses are overwhelmingly more
   prevalent on Windows than any other system.
Virus Outbreaks




            VS
Virus Outbreaks #1

 Microsoft IIS features twice as often (49% vs.
 23%) as a malware distributing server.




          ...
Who to Trust?
Who to Trust? #1
European Parliament calls “on the Commission and Member States to
promote software projects whose source ...
Who to Trust? #2


•  April 2000 discovery Frontpage contained a
   deliberate “backdoor”
•  Remained undetected for more ...
Who to Trust? #3


•  Some time between 1992 and 1994
•  “Back door” inserted in the DB server InterBase
•  Vulnerability ...
Microsoft EULA - XP #4
Comparison EULA to GPL
                                                                       EULA   GPL
  Percentage of l...
The Tally

Factor                  Open Source   Closed Source

Time to compromise           ✔             ✖
Number critic...
Conclusion
•  “Openness” of source code is 1 factor of
   many when considering security
•  Being open doesn’t automatical...
Thank You
    &
Remember
References

•  Why open source? (David Wheeler)
•  IBM, The security implications of open
   source software
•  Open sourc...
Questions and Further Information
              yossih@synaq.com
                   011 262 3632
Open vs Closed - Which is more secure?
Open vs Closed - Which is more secure?
Open vs Closed - Which is more secure?
Upcoming SlideShare
Loading in …5
×

Open vs Closed - Which is more secure?

7,796 views

Published on

Open VS Closed Source Software: Which is more secure?

This is the presentation given at the quarterly "Free Beer Sessions" answering the age old question of whether open source software is more secure than their closed or proprietary counterparts.

The presentation gives an overview of the philosophies and history driving both methodologies and provides case history examples to answer the question.

Published in: Technology
  • Be the first to comment

Open vs Closed - Which is more secure?

  1. 1. OPEN vs CLOSED: Which is more secure? Yossi Hasson http://twitter.com/yossihasson yossih@synaq.com
  2. 2. OPEN VS CLOSED WHICH IS MORE SECURE
  3. 3. The debate I’m closed. I’m more secure Open is better!
  4. 4. 5
  5. 5. Kerckhoff’s Principle “the system must not require secrecy and can be stolen by the enemy without causing trouble. ” - Auguste Kerckhoff, 1883
  6. 6. at SYNAQ we believe that good OPEN SOURCE projects lead to better software being developed and are therefore generally more secure
  7. 7. WHY
  8. 8. WHAT IS OPEN SOURCE
  9. 9. Richard Stallman 1983 “ Free software' is a matter of liberty, not price. To understand the concept, think of ‘free’ as in ‘free speech’ ” not as in ‘free beer’
  10. 10. Linus Torvalds 1991 “ Hello everybody out there using minix. I'm doing a (free) operating system (just a hobby, won't be big ” and professional like gnu) for 386(486)AT clones.
  11. 11. Eric Raymond 1998 “ People are imperfect. What we have learned through the ages, though, is that combining lots of people creates a better end result, ... For some reason, we forgot that when it came to developing software. ”
  12. 12. OSS Definition 1.  Free Redistribution 2.  Source Code 3.  Derived Works 4.  Integrity of The Author’s Source Code 5.  No Discrimination Against Persons or Groups 6.  No Discrimination Against Fields of Endeavor 7.  Distribution of License 8.  License Must Not Be a Specific to a Product 9.  License Must Not Restrict Other Software 10. License Must Be Technology Neutral Source: www.opensource.org
  13. 13. WHAT IS CLOSED SOURCE
  14. 14. Source code of the software is not available, or the licensor does not grant the freedoms to use, modify, and distribute that are granted by free software licenses. - Source: Wikipedia
  15. 15. “ Who can afford to do professional work for nothing? What hobbyist can put 3-man years into programming, finding all bugs, documenting his product and distribute for free? - Bill Gates, 1976
  16. 16. “ There are fewer communists in the world today than there were. There are some new modern-day sort of communists who want to get rid of the incentive for musicians and moviemakers and software makers under various guises. They don't think that those incentives should exist - Bill Gates, 2005
  17. 17. “ Linux is a cancer that attaches itself in an intellectual property sense to everything it touches - Steve Ballmer, 2001
  18. 18. WHAT PRIMARILY DRIVES BOTH
  19. 19. Closed Source
  20. 20. Open Source  Status  Contribution  Social Capital  Ideology  In some cases: Making money
  21. 21. WHATS THIS GOT TO DO WITH SOFTWARE SECURITY
  22. 22. $ TIME
  23. 23. “ In an open source project, to make a mistake and have it known to the entire development community and your friends is mortifying to the extreme …. the last moment before hitting the Enter key – to commit a change or send a patch out into the cold cruel world of your peers – is ” the longest moment imaginable - Michael H. Warfield senior researcher Internet Security Systems
  24. 24. Factors to Consider   Time to compromise   Speed at which flaws are fixed   Number of vulnerabilities   Major virus outbreaks   Trust
  25. 25. Time to Compromise •  Time taken to compromise an un-patched Linux vs Windows XP machine VS
  26. 26. Time to Compromise Linux Windows XP 3 Months* 4 Minutes (pre SP2)* 18 Minutes (post SP2)** WINNER Source: * Honeynet “Know Your Enemy: Trend Analysis” (2004) ** Symantec’s Internet Security Threat Report (2004)
  27. 27. Bugs
  28. 28. Bugs Article “Apache avoids most security woes” found Apache’s last serious security problem was announced in January 1997 Article “IT bugs over IIS security” found Microsoft had reported 21 security bulletins over the period - 8 of which rated highly dangerous in comparison to 0 for Apache over the same period Source: eWeek & www.dwheeler.com/oss_fs_why.html
  29. 29. Fixing Flaws
  30. 30. Fixing Flaws #1 VS VS
  31. 31. Fixing Flaws #1 Vendor Number Advisories Average Time to Resolve After Discovery 31 11.2 days 61 16.1 days 8 89.5 days Source: SecurityPortal WINNER
  32. 32. Fixing Flaws #2 VS
  33. 33. Fixing Flaws #2 The U.S. Department of Homeland Security’s Computer Emergency Readiness Team (CERT) recommended using browsers other than Microsoft Corp.’s Internet Explorer (IE) for security reasons. Microsoft had failed to patch a critical vulnerability for 9 months, and IE was being actively exploited in horrendous ways. Source: US Department of Homeland Security, CERT
  34. 34. Fixing Flaws #2 Mozilla Firefox fixed its According to Symantec Corp., vulnerabilities faster, and had fewer severe vulnerabilities than Internet Explorer WINNER Source: Symantec, 2004
  35. 35. Fixing Flaws #3 VS
  36. 36. Fixing Flaws #3 eWeek Labs’ article “Open Source Quicker at Fixing Flaws” listed Serious flaw was specific examples of more rapid response. found in the Apache Web server; the Apache Software Foundation made a patch available two days after the Web server hole was announced. WINNER Source: eWeek, article: “Open Source Quicker at Fixing Flaws”
  37. 37. Virus Outbreaks Computer viruses are overwhelmingly more prevalent on Windows than any other system.
  38. 38. Virus Outbreaks VS
  39. 39. Virus Outbreaks #1 Microsoft IIS features twice as often (49% vs. 23%) as a malware distributing server. WINNER Source: Google, Online Security Blog (2007)
  40. 40. Who to Trust?
  41. 41. Who to Trust? #1 European Parliament calls “on the Commission and Member States to promote software projects whose source text is made public (open-source software), as this is the only way of guaranteeing that no backdoors are built into programmes [and calls] on the Commission to lay down a standard for the level of security of e-mail software packages, placing those packages whose source code has not been made public in the ‘least reliable’ category” (5 September, 2001; 367 votes for, 159 against and 39 abstentions). Source: European Parliament A5-0264/2001
  42. 42. Who to Trust? #2 •  April 2000 discovery Frontpage contained a deliberate “backdoor” •  Remained undetected for more than 4 years Source: TruSecure, Paper: Open Source Security
  43. 43. Who to Trust? #3 •  Some time between 1992 and 1994 •  “Back door” inserted in the DB server InterBase •  Vulnerability stayed for 6 years •  Borland released source code July 2000 as OSS/ FS •  Firebird launched •  5 months later CERT identified the vulnerability and it was patched shortly after
  44. 44. Microsoft EULA - XP #4
  45. 45. Comparison EULA to GPL EULA GPL Percentage of license which limits 45% 27% your rights Percentage of the license which 15% 51% extends your rights Percentage of license which limits 40% 22% your remedies Source: Cybersource, a comparison of the GPL and the Microsoft EULA
  46. 46. The Tally Factor Open Source Closed Source Time to compromise ✔ ✖ Number critical bugs ✔ ✖ Speed at fixing flaws ✔ ✖ Number of Viruses ✔ ✖ Who to trust ✔ ✖
  47. 47. Conclusion •  “Openness” of source code is 1 factor of many when considering security •  Being open doesn’t automatically mean more secure •  Underlying driving motives for open source can lead to better software development •  History has shown that good open source projects tend to be more secure then their closed counterparts •  It’s a question of who to put your trust in
  48. 48. Thank You & Remember
  49. 49. References •  Why open source? (David Wheeler) •  IBM, The security implications of open source software •  Open source versus closed source security (Jason Miller) •  Open source security: A look at the security benefits of source code access (TruSecure) 5 2
  50. 50. Questions and Further Information yossih@synaq.com 011 262 3632

×