How Secure is Open Source

Proponents are upbeat—but don’t let your guard down.

How Secure is Open Source?

IMAGINE SHOWING COPS and robbers the blueprints to your campus. Then, letting them keep the detailed blueprints to review—over and over again— at their leisure. The robbers would memorize every nuance of your campus layout, and at some point, they’d likely plan a break-in. But on the flip side, the cops would identify security weaknesses—and help you eliminate them.

Universities that use open source software are facing that very scenario in the digital world. Whether it be a legitimate programmer or a would-be hacker, everyone in the open source community has unlimited access to the software’s source code. They can spend endless hours examining the code for potential security holes, bugs, and code flaws.

And there’s no shortage of open source code to examine. Most college campuses are running a mix of open source apps—from Linux and the Apache web server to the MySQL database, Firefox web browser, and Zimbra e-mail—and the list goes on. Darkside hackers (aka crackers) can take a close look at these and other code bases to find holes to potentially exploit.

Still, for every bad guy roaming the internet, there are thousands of honest, hard-working open source programmers who review and fix flaws within the code. “In the open source model, everyone has access to the source code, so vulnerabilities are rapidly identified and fixed,” asserts John Halamka, CIO of Harvard Medical School (MA). “Transparency of source code leverages the talents of brilliant people. This ensures the applications are more secure, rather than more vulnerable.”

Halamka’s peers at MIT agree. “Open source code is ‘white box’ tested,” says Ash Dyer, an MIT researcher who works with open source WiFi solutions. “During testing, you can watch its internal functioning. In other words, the product is peerreviewed, similar to the process scientific research undergoes prior to publishing.” Translation: Security professionals can test the software while watching how the code actually executes the actions, thereby flagging unsafe practices—even if their tests do not directly detect a fault, Dyer says.

OPEN VS. CLOSED

Now for the question that has haunted the entire software industry for more than a decade: Is open source more secure than traditional closed source?

It depends on who you ask. When it comes to security challenges, Microsoft has earned more than its share of negative headlines over the years. Admittedly, Microsoft’s products have been widely targeted by hackers, but that’s also a function of Microsoft’s immense market share. Why shoot at a tiny animal when you can aim your gun into a heard of elephants?

Meanwhile, open source providers like Red Hat and MySQL have relatively strong reputations among security-minded IT managers. “We have been able to turn around fixes within 24 hours,” says Zack Urlocker, executive VP of products at MySQL. “That being said, MySQL has not had any security issues reported in several years.”

Open Source PROS AND CONS

PROS

  • Enterprise resource planning (ERP), constituent relationship management (CRM), and e-mail applications are now widely available from SugarCRM, JasperSoft, Zimbra, and other providers.
  • Most open source companies host online communities, where developers can rapidly identify, troubleshoot, and correct code problems.
  • The open source model closely parallels the university research model, where developers review each other’s work for quality and accuracy prior to completing and publishing software code.

CONS

  • Some software development companies claim to adhere to open source standards, but bend or stretch the truth, thus putting customers at risk.
  • Students have lots of spare time to investigate—and hack—open source code. Be sure to reinforce positive software ethics as part of computer science curricula.
  • It’s unclear how or when hackers will target emerging open source platforms like the Asterisk voice over IP system and open source-based network appliances.

A spokesperson for SugarCRM, an open source applications provider in Cupertino, CA, adds, “The main problem of proprietary vendors is that there are too many lines of code and too few quality assurance engineers [to review them]. SugarCRM, on the other hand, employs the same security model as the Linux operating system, which has proven rock-solid in the most demanding security environments.”

Moreover, many open source advocates point to independent studies that suggest open source is more secure than closed source systems. In fact, software analysis technology providers Coverity, Klocwork, and Reasoning say that studies indicate the quality of open source is typically six times better than that of closed source.

SHOW SOME BALANCE

Still, open source certainly isn’t “all good,” and closed source isn’t “all bad.” In fact, some studies suggest Linux actually has more security weaknesses than Windows. For instance, in 2005, Linux and Unix experienced more than three times as many reported security vulnerabilities as Windows, according to a study by the US Computer Emergency Readiness Team.

Open source security incidents certainly have taken place, but they haven’t been everyday occurrences. In 2003, hackers compromised the Debian open source operating system project, damaging bug tracking, e-mail, and other services used by the project’s 1,000 developers, recalls Brian James, founder of James Consulting, a newly formed open source development firm in Jacksonville, FL.

Meanwhile, on the closed source side, Microsoft has generally become much more aggressive about security since Bill Gates sent his “Trustworthy Computing” memo to the entire company in January 2002. And other companies that develop closed source software—from Oracle to SAP AG—have solid reputations within the security sector and on college campuses, notes Ed Golod, president of Revenue Accelerators, a technology consulting firm in New York. “You’ve got to remember: The press likes to see things in black and white,” says Golod. “They want a clear winner and a clear loser. But in the software market, there are gray areas. You can’t make a broad statement saying open source is always more secure than closed source—or vice versa.”

Indeed, many closed source companies are evolving to offer solutions that include both closed and open source software. Those embracing the hybrid approach include IBM, Oracle, and Sun Microsystems. While Sun continues to promote its closed source Solaris operating system, the company has gradually embraced Linux. The situation is similar at IBM, which promotes systems running Windows, AIX Unix, and Linux.

4 Open Source SECURITY RESOURCES

DEVELOPING BEST PRACTICES

Even as they juggle open and closed source business models, some software companies are hiring chief security offi- cers (CSOs or CISOs) to ensure best practices across their entire product portfolios. Oracle, for one, employs one of Silicon Valley’s highest-profile CSOs, IT veteran Mary Ann Davidson. In addition to managing Oracle’s internal security practices, Davidson is a road warrior who frequently engages vertical-market customers at trade shows. “She’s a real asset for us when we try to show customers our commitment to security,” says Oracle Higher Education VP Jim McGlothlin. Davidson, for instance, explains Oracle’s secure development practices to customers, who, in turn, often leverage those practices within their organizations.

Meanwhile, open source providers aren’t resting on their laurels. The National Security Agency, for example, has worked with Red Hat and other partners to develop a security-enhanced Linux (SEL) system. According to an NSA spokesperson, mainstream operating systems lack the critical security feature required for enforcing separation: mandatory access control. As a result, application security mechanisms are vulnerable to tampering and bypass, and malicious or flawed applications can easily cause failures in system security. To address this problem, SEL has a mandatory access control architecture incorporated into the major subsystems of the kernel. The NSA spokesperson points out that the system provides a mechanism to enforce the separation of information, based on confidentiality and integrity requirements. In other words, there are walls between certain pieces of data to ensure the entire system can’t be compromised.

BEST OF BOTH WORLDS?

Much like the software industry itself, colleges and universities are striking a balance between open and closed source solutions.

Consider the situation at Eastern Illinois University, which has deployed roughly a dozen Apple servers running Zimbra’s open source e-mail platform for 30,000 users, according to John Robb, VP of marketing and product management at Zimbra. This combination of open and closed source software—which replaced a legacy Sendmail system running on Sun Solaris—gives EIU the best of both worlds: Administrators welcome the familiar Mac user interface and Apple’s reputation for reliability, while the Zimbra code is known to easily scale to 10,000 or more users, and isn’t a big target for hackers, compared to Microsoft’s nearly ubiquitous Exchange Server.

In addition to security considerations, “A key factor in our choice of an e-mail and calendaring product was the ability to cost-effectively deploy the technology campuswide,” says Greg DeYoung, EIU’s associate director for campus infrastructure technology. Other eager Zimbra adopters include Delaware State University and Florida International University’s College of Business Administration.

Webinars to Watch

Check out these on-demand webinars:

  • Data Protection in the Real World: Guarding the Institution While Maintaining Academic Integrity
  • Unexpected Quick Wins in 802.1X: Simplify User Experience, Reduce Helpdesk Workload, and Automate Secure Guest Access
  • Campus Data Security: Making the Assessment, Finding the Holes

COLLABORATIVE THINKING

Part of the appeal of open source software like Zimbra can be traced back to the way developers interact with each other online, to close security holes long before hackers can exploit them. Most open source software companies, for instance, host “developer communities” on their websites. There, programmers and partners share code, review each other’s work, and dive down into security issues. SugarCRM’s online forums, for instance, host more than 500 security discussions, ranging from module loading and role assignments, to bug fixes of known security problems.

Moreover, several major annual cracker conferences, including Defcon and HOPE, allow crackers and security professionals to mingle and discuss best practices for both cracking and securing systems. Many of the discussions involve open source software.

“The open source community has long embraced [crackers],” says MIT’s Dyer, “while much of the closed source community has preferred to host their own events. In addition to accepting the contributions of former crackers, open source projects regularly make their code available for sharing. Best practices are much more readily adopted in open source, because the problem is solved once for everyone—rather than forcing people to reinvent the wheel.”

Still, neither the open nor closed source models are perfect. In fact, some crackers are trying to write viruses that attack both types of software. Last year, researchers at security software developer Kaspersky Lab uncovered “proof-of-concept code” for a virus that targets both Windows and Linux. So far, the concept code hasn’t made the transition into a mainstream threat. But it’s a safe bet such attacks are coming: Don’t let your guard down.

Featured