Is Open Source Really So Much More Secure By Nature
-
Here is a simple example of closed source vs. open source development.
In both cases, we have one developer who writes the following code:
print "Hello Word"
In both cases, the developer compiles this into a Windows executable names hello.exe.
Everything is identical up until this point.
Now that the software is done and available to the public, we start to see differences. In the case of the closed source software the customer just gets an executable binary. They ask the developer what it does and he says "Just trust that it does what I say that it does AND that I protected the code and binary from tampering. Just trust me, blindly."
Now if this was open source the developer would say "Well, here is what I say that it does, but don't take my word for it. You can read the code yourself to see what I wrote. And if you trust the code but don't trust the compilation pipeline, you can compile the code that you have yourself to ensure that neither the code nor the compilation or binary were tampered with before it got to you."
In both cases, you have the option of blind trust of the entire process. But with open source you can choose to audit the code (or have others audit the code, or both), and if you don't trust the dev/vendor at all, you can even compile it yourself to be extra sure that the binary that you ended up with is truly from the code that you saw.
As you can see, being open offers zero additional points of risk. But being closed clearly requires two really major points of blind trust that we often just accept as acceptable risk. But open source gives you extra places where you (or other third parties) can audit the code and binaries to make sure that they are safe and/or well written or do what they claim to do, etc.
There is a reason why back doors and root kits are super common in closed source and nearly non-existent in open source: because it's so easy to hide them in most closed source in any of several steps because there is no auditing by customers and therefore little to no pressure on vendors to audit; and because the pipeline is forced to happen remotely adding additional points of vulnerability that need not exist in open source. Open source of any prominence truly gets thousands of eyes and automated vulnerability scanning tools on it all of the time that malware is extremely hard to hide.
-
Market pressure is also a major factor. Closed source gets little scrutiny and is chosen by customers with less concern about security so there is little to no pressure on closed source vendors to take security seriously because if they get caught with bad security, they can just lie about how it happened as no one can view their source to hold them accountable, even when something has gone wrong.
Open source, there is no hiding, and customers are naturally quite a bit more concerned about security (that's the top reason for choosing open source, after all!) In open source if someone injects a back door or insecure code, you are likely going to get caught and it is a big embarrassment to your company. And there's no way to lie about it, because it is laid bare for the world to see.
So the pressure for one to be secure and the other to not care is huge. Just look at MS and Solarwinds - two vendors known for totally ignoring security on the bases of "it's closed source and no one can catch us" and "our customers just don't take security seriously anyway, so who cares, not like anyone is going to stop using us even if they knew how risky we were."
-
@siringo said in Is Open Source Really So Much More Secure By Nature:
is open source software considered more secure than proprietary?
SO much so, yes. As a process, open source is a process for security. Closed source is a process against security. One's driving feature is that it makes security natural and easy. The other's driving purpose is that it hides the needs for and failures in security. So yes, it's hard to overstate how dramatically one is considered more secure to the point where you can make an argument that you can't even state that anything closed source could be considered secure because by definition, you can't truly trust anything that is closed.
Keep in mind, secure is its own measurement. We assume you are asking "which process encourages secure products versus encourages insecure products."
-
@DustinB3403 said in Is Open Source Really So Much More Secure By Nature:
@siringo said in What Are You Doing Right Now:
is open source software considered more secure than proprietary
That is a subjective question, can open source be, sure. But it really depends on a multitude of factors. How the software is implemented, how popular the software is (drawing eyes and skill to improve and secure it) etc etc .
It's subjective when we look at resulting software. Is Windows or Linux or secure? Okay, that one is laughable as the degree to which say RHEL is more secure than Windows is staggering. But that doesn't mean that it is open vs closed that makes for that specific gap. In any specific case, we are considering why is X better than Y at this one thing. And a lot of factors go into that... who wrote it, when, why, who paid for it, who is attacking it, etc. The ability to audit the source is just one of a huge number of factors (although a really, really big one.)
But when it comes to processes - which process is a security process vs. a non-security process then it's not subjective. Any given piece of software or software process becomes more secure by making it open, full stop. All other factors being equal, open is more secure even before there are any resulting code changes.
-
@scottalanmiller said in Is Open Source Really So Much More Secure By Nature:
@siringo said in What Are You Doing Right Now:
Apparently MS said they weren't concerned as they said their code is now built/evolves similarly to way in which open source code is built/evolves.
This is total and utter BS. Open is built with many eyes on it during the process and after. MS code is not. Everything they do is the polar opposite of being open. They are lying through their teeth.
I think it totally depends on the software. I mean, I do agree there's some B.S. to their statement, but perhaps not the worst in the world.
The simple fact it's open source doesn't mean X number of other people are reviewing all of the source code looking for bugs and security vulnerabilities. It also doesn't even mean X number of people are even using the software.
I am willing to bet that there are more eyes on some closed source Microsoft code than there are on some open source software. I'm willing to bet some open source software source code has only ever been looked at by the creator and nobody else.
Again, I think it totally depends.
-
@Obsolesce said in Is Open Source Really So Much More Secure By Nature:
The simple fact it's open source doesn't mean X number of other people are reviewing all of the source code looking for bugs and security vulnerabilities. It also doesn't even mean X number of people are even using the software.
No, but even if they don't, it only falls to the same as closed source. That's why the stated is "equal or better". That's all that matters, that it's equal and never worse. That's why it is such a big deal.
-
@Obsolesce said in Is Open Source Really So Much More Secure By Nature:
I am willing to bet that there are more eyes on some closed source Microsoft code than there are on some open source software. I'm willing to bet some open source software source code has only ever been looked at by the creator and nobody else.
That's different and unrelated. Any given piece of software would be equal or more eyes if open. Windows gets more eyes than, say, a one man open source project that no one uses at all. Absolutely. But like 1/100,000th the eyes that Linux gets which is apples to apples. And far more importantly, Windows gets a tiny itty bitty fraction of the eyes on it now compared to it was open.
That's the difference.... any closed piece gets fewer eyes than it would if open, and any open gets more than it would if closed. It's true of every single piece of software. Using comparisons between different pieces of software is misleading, but irrelevant.
-
@Obsolesce said in Is Open Source Really So Much More Secure By Nature:
Again, I think it totally depends.
That's the great thing about it, it doesn't depend. It's just fact, without expect. No depends at all. In any given scenario, open will always give you equal or better security in real review. And open always gives the end user more ability to be secure even when the code is the same. No "sometimes", no "it depends." Always.
-
How about the economics of Open vs Closed. I know RHEL brings in a crap ton from their support contracts, fortune 500 companies who feel they must buy support, even though they often employ people who could work for RHEL themselves... therefore not really needing the support, but they buy it as a reassurance for stockholders, etc, or so I've been told by someone who worked for a F500.
So outside of RHEL, what other projects are making millions or billions on their software that's open source?
I mean, would MS loose millions/billions if they open sourced Office?
-
@Dashrender said in Is Open Source Really So Much More Secure By Nature:
I mean, would MS loose millions/billions if they open sourced Office?
Yes, very likely. They depend on the file formats not being able to be read perfectly. If LibreOffice was 100% compatible, would ANYONE buy Office, ever? Only totally insane people (who tend not to make much money) would ever discuss it again, because it's a huge pain to deploy, super buggy, crazy expensive, requires support for no good reason.
It's actually garbage software that depends entirely on its closed source nature to maintain market lock in.
-
@scottalanmiller said in Is Open Source Really So Much More Secure By Nature:
But like 1/100,000th the eyes that Linux gets which is apples to apples.
How do you know how many people are reviewing the source code of the Linux kernel for security vulnerabilities and bugs versus the source code of the Windows OS? I'm not disagreeing with you per se, just the degree of the point.
-
@Obsolesce said in Is Open Source Really So Much More Secure By Nature:
How do you know how many people are reviewing the source code of the Linux kernel for security vulnerabilities and bugs versus the source code of the Windows OS? I'm not disagreeing with you per se, just the degree of the point.
Well there are three key points here. The first is... we don't care. Open source is equal or better. If zero people externally review the code, that makes it equal. So it doesn't require knowing to know that it is equal or better.
But the second point is, having worked in the enterprise, and just in IT, I've directly worked with massive departments and teams who have very stringent code review processes and are looking at the Linux kernel all of the time. And there are companies pretty much dedicated to just this. As an example, all the big investment banks do this, as do governments, militaries, security firms, researchers, etc. And those are just the big, really obvious ones. There are also firms that test all major open source against automated testing suites both because there is good business in finding bugs in open source, and because it proves your products to sell to vendors.
And thirdly, there are many large companies that all use Linux and need to audit the code for their own use. Examples are IBM, Canonical, Oracle, Microsoft, Google, Amazon, Intel, ARM, etc. All of them depend very heavily on the security of Linux and unlike in closed source, they all have a strong interest in "catching each other" if someone was to miss something.
-
@scottalanmiller said in Is Open Source Really So Much More Secure By Nature:
@Obsolesce said in Is Open Source Really So Much More Secure By Nature:
How do you know how many people are reviewing the source code of the Linux kernel for security vulnerabilities and bugs versus the source code of the Windows OS? I'm not disagreeing with you per se, just the degree of the point.
Well there are three key points here. The first is... we don't care. Open source is equal or better. If zero people externally review the code, that makes it equal. So it doesn't require knowing to know that it is equal or better.
But the second point is, having worked in the enterprise, and just in IT, I've directly worked with massive departments and teams who have very stringent code review processes and are looking at the Linux kernel all of the time. And there are companies pretty much dedicated to just this. As an example, all the big investment banks do this, as do governments, militaries, security firms, researchers, etc. And those are just the big, really obvious ones. There are also firms that test all major open source against automated testing suites both because there is good business in finding bugs in open source, and because it proves your products to sell to vendors.
And thirdly, there are many large companies that all use Linux and need to audit the code for their own use. Examples are IBM, Canonical, Oracle, Microsoft, Google, Amazon, Intel, ARM, etc. All of them depend very heavily on the security of Linux and unlike in closed source, they all have a strong interest in "catching each other" if someone was to miss something.
And that leaves out the people.
I've reviewed bits and pieces of the kernel code. It was related to a video bug and not a security review, but still, I have looked at it.
Cannot say that about your god and savior operating system, Windows.
-
@JaredBusch said in Is Open Source Really So Much More Secure By Nature:
@scottalanmiller said in Is Open Source Really So Much More Secure By Nature:
@Obsolesce said in Is Open Source Really So Much More Secure By Nature:
How do you know how many people are reviewing the source code of the Linux kernel for security vulnerabilities and bugs versus the source code of the Windows OS? I'm not disagreeing with you per se, just the degree of the point.
Well there are three key points here. The first is... we don't care. Open source is equal or better. If zero people externally review the code, that makes it equal. So it doesn't require knowing to know that it is equal or better.
But the second point is, having worked in the enterprise, and just in IT, I've directly worked with massive departments and teams who have very stringent code review processes and are looking at the Linux kernel all of the time. And there are companies pretty much dedicated to just this. As an example, all the big investment banks do this, as do governments, militaries, security firms, researchers, etc. And those are just the big, really obvious ones. There are also firms that test all major open source against automated testing suites both because there is good business in finding bugs in open source, and because it proves your products to sell to vendors.
And thirdly, there are many large companies that all use Linux and need to audit the code for their own use. Examples are IBM, Canonical, Oracle, Microsoft, Google, Amazon, Intel, ARM, etc. All of them depend very heavily on the security of Linux and unlike in closed source, they all have a strong interest in "catching each other" if someone was to miss something.
And that leaves out the people.
I've reviewed bits and pieces of the kernel code. It was related to a video bug and not a security review, but still, I have looked at it.
Cannot say that about your god and savior operating system, Windows.
No not Windows. But I do like Windows 10. At least in my own experience it's been solid the last couple years especially. I'm a fan of Ubuntu equally though, but I use the desktop version less because it doesn't do/support some things I like to do as well or as efficiently as Win10 does.
-
@JaredBusch said in Is Open Source Really So Much More Secure By Nature:
@scottalanmiller said in Is Open Source Really So Much More Secure By Nature:
@Obsolesce said in Is Open Source Really So Much More Secure By Nature:
How do you know how many people are reviewing the source code of the Linux kernel for security vulnerabilities and bugs versus the source code of the Windows OS? I'm not disagreeing with you per se, just the degree of the point.
Well there are three key points here. The first is... we don't care. Open source is equal or better. If zero people externally review the code, that makes it equal. So it doesn't require knowing to know that it is equal or better.
But the second point is, having worked in the enterprise, and just in IT, I've directly worked with massive departments and teams who have very stringent code review processes and are looking at the Linux kernel all of the time. And there are companies pretty much dedicated to just this. As an example, all the big investment banks do this, as do governments, militaries, security firms, researchers, etc. And those are just the big, really obvious ones. There are also firms that test all major open source against automated testing suites both because there is good business in finding bugs in open source, and because it proves your products to sell to vendors.
And thirdly, there are many large companies that all use Linux and need to audit the code for their own use. Examples are IBM, Canonical, Oracle, Microsoft, Google, Amazon, Intel, ARM, etc. All of them depend very heavily on the security of Linux and unlike in closed source, they all have a strong interest in "catching each other" if someone was to miss something.
And that leaves out the people.
I've reviewed bits and pieces of the kernel code. It was related to a video bug and not a security review, but still, I have looked at it.
Cannot say that about your god and savior operating system, Windows.
Oh sure, the assumption is that there are thousands or even millions of people, small companies, little orgs, volunteers, etc. that are looking at the code that we just don't know about. But we can't prove those beyond "we all seem to know some people who've done it, which indicates that it's probably common."
-
thanks for all the chatter on this, i'm finding it quite interesting.
-
@siringo said in Is Open Source Really So Much More Secure By Nature:
thanks for all the chatter on this, i'm finding it quite interesting.
Basically it comes down to...
Open source is in your interest. But every vendor and vendor rep and/or salesperson will say anything to convince you otherwise as nearly all of them base their careers on selling you things that are less than ideal for you.
-
@scottalanmiller some interesting statistics:
-
Interesting article on why closed source culture at Microsoft makes it hard for developers to produce the work that gets done on Linux.
http://blog.zorinaq.com/i-contribute-to-the-windows-kernel-we-are-slower-than-other-oper/
-
This is also interesting.