Is Open Source Really So Much More Secure By Nature
-
@Dashrender said in Is Open Source Really So Much More Secure By Nature:
@scottalanmiller said in Is Open Source Really So Much More Secure By Nature:
@Dashrender said in Is Open Source Really So Much More Secure By Nature:
@scottalanmiller said in Is Open Source Really So Much More Secure By Nature:
@Dashrender said in Is Open Source Really So Much More Secure By Nature:
@scottalanmiller said in Is Open Source Really So Much More Secure By Nature:
I did find a peer reviewed paper, but it was written by Microsoft and peer reviewed by a university that they fund. And it just said that they didn't have any means by which to evaluate the two because there's no viable metric.
"In conclusion, open source does not pose any significant barriers to secu-
rity, but rather reinforces sound security practices by involving many people
that expose bugs quickly, and offers side-effects that provide customers and the
community with concrete examples of reusable, secure, and working code."However, they also came to this utterly garbage conclusion that only Microsoft could come to: "...many security attacks are independent of the source code, so neither open source or proprietary software is less secure."
So let me get this straight, Microsoft's employee claims that since many attacks come through other vectors, that code security is irrelevant anyway? That's literally what they said in the paper. So their claim is that something like the Solarwinds event is irrelevant since, for example, ransomware is common in other arenas.
LOL - yup, that's what I read
Haha, it was definitely not a good thesis. It had some good points, but got lost and focused almost entirely on anything but the topic and by the end, was so distracted, that they no longer even considered the topic.
Oh - I was only replying to your post.. not the whole paper
Oh, I read the entire 22 page article. It wasn't all bad, but it was clear that no one with an understanding of the topic was involved because it basically had a tiny amount about the topic, and a huge amount lost talking about unrelated things like social engineering and investment dollars rather than the licensing.
But it was suggestive that they spent most of the paper trying to come up with excuses for why closed source was still acceptable even though all evidence and logic pointed to the contrary by trying to show that what matters is something else. And that's true, the source licensing is not the biggest factor... but it's the factor being discussed. They definitely resorted to misdirection to try to downplay a conclusion that they were aware of.
What a min - where did licensing come into this conversation? I thought we were talking about security of code open source vs closed source?
OH - the type of license applied to the source.. nevermind - I get it.
But wait - open vs closed isn't the biggest factor for security in code? then what is?
-
@Dashrender said in Is Open Source Really So Much More Secure By Nature:
But wait - open vs closed isn't the biggest factor for security in code? then what is?
The quality of the code being written.
-
There are SO many factors that go into making code, and all of them play a factor in the security of the final product.
Some of the factors that play in...
- Skill level of the developers.
- Security mindedness of the organization.
- Priority given to security.
- Security training.
- Code Auditing.
- Licensing
- Market pressure for security.
- Legal penalties for insecurity.
- Passion for project.
- Development environment and ecosystem.
- Tooling
- Project Management
- Deadline Management and Time Pressure
- Type of software being written.
- Ecosystem of libraries and components.
- Architecture and design of software.
- Up to date tools and libraries.
- Value of compromising system.
-
For example, in one of the articles it was pointed out that Microsoft's culture made it hard for them to retain highly skilled developers and that they relied very heavily on smart, but inexperienced, college grads. This means that they aren't leaning on those that are most competitive (those tend to be hired before college) nor on those that have built up the best reputation (highly experience) as both of those were being poached by other, more competitive firms. So Windows was (and still is, we assume) suffering from having to be made by people with less overall experience and less overall skill than are going to other firms, while having less political clout to push for good things in the environment.
The latter is more important than it seems. Very companies make it comfortable for a junior developer to take personal career risks to push for things like performance or security. Those things put their careers in jeopardy and offer little to no potential reward. And as a junior, you lack the reputation to push through an agenda that a PM might not want, and almost certainly lack the confidence to attempt it.
MS also lacks being a "sexy" place to work. It's not something you brag about. In fact, in many cases, it's a big embarrassing. Heck, they hired our community's famous drunk that is all but banned from any professional event because he constantly shows up wasted and harasses the speakers and pukes at the event (for real.) This is the bar for being an MS engineer. I'd be ashamed to be associated. Their behaviour in this community is utterly unprofessional as well. Bottom line, coming home from a sweet startup making something amazing is likely to drive a lot more happiness at work than being a grunt working at MS where most people who learn where you work are happy for you that you have a job, but ultimately feel badly for you that you failed to get into a place you were hoping to get and had to settle.
-
@scottalanmiller said in Is Open Source Really So Much More Secure By Nature:
@Dashrender said in Is Open Source Really So Much More Secure By Nature:
But wait - open vs closed isn't the biggest factor for security in code? then what is?
The quality of the code being written.
yeah, I did think of this as I was writing the question... but it seemed so obvious as to be beside the point of the discussion at large.
-
@Dashrender said in Is Open Source Really So Much More Secure By Nature:
@scottalanmiller said in Is Open Source Really So Much More Secure By Nature:
@Dashrender said in Is Open Source Really So Much More Secure By Nature:
But wait - open vs closed isn't the biggest factor for security in code? then what is?
The quality of the code being written.
yeah, I did think of this as I was writing the question... but it seemed so obvious as to be beside the point of the discussion at large.
One could say the same thing about source licensing, though. It's very similar. Open is a means to enhance security, closed is a way to cover up security failings. Just like well written code is a way to make it more secure and buggy or sloppy code is a good way to have vulnerabilities. They both fall under the "should we have to say it" category in the same way, and yet, we do.
But certainly, when the question comes to "what's the biggest factor", well code quality really is it. A lone coder, with zero review, no oversight, no budget, closed source... who writes truly breathtakingly perfect code is the best option. Not one that anyone gets to prove is good, but the resulting code will be the best. It's absurd, but it's important to remember that all other factors become moot if the original code is nearly perfect.
-
@scottalanmiller said in Is Open Source Really So Much More Secure By Nature:
@Dashrender said in Is Open Source Really So Much More Secure By Nature:
@scottalanmiller said in Is Open Source Really So Much More Secure By Nature:
@Dashrender said in Is Open Source Really So Much More Secure By Nature:
But wait - open vs closed isn't the biggest factor for security in code? then what is?
The quality of the code being written.
yeah, I did think of this as I was writing the question... but it seemed so obvious as to be beside the point of the discussion at large.
One could say the same thing about source licensing, though. It's very similar. Open is a means to enhance security, closed is a way to cover up security failings. Just like well written code is a way to make it more secure and buggy or sloppy code is a good way to have vulnerabilities. They both fall under the "should we have to say it" category in the same way, and yet, we do.
But certainly, when the question comes to "what's the biggest factor", well code quality really is it. A lone coder, with zero review, no oversight, no budget, closed source... who writes truly breathtakingly perfect code is the best option. Not one that anyone gets to prove is good, but the resulting code will be the best. It's absurd, but it's important to remember that all other factors become moot if the original code is nearly perfect.
I guess I am currently looking at coding from a profitability POV. Open source seems to be much more difficult to make profitable. I mean I suppose you could use the same licenses MS has today on open source code, but how many people would still simply steal it?
This was the argument of music companies... stealing became easier than buying. Only once the buying became easier than ripping did that really change. -
@Dashrender said in Is Open Source Really So Much More Secure By Nature:
Open source seems to be much more difficult to make profitable
Of course it is. @scottalanmiller said as much about his own company.
@scottalanmiller said in Is Open Source Really So Much More Secure By Nature:
The benefits of close source (and you can trust me, I run a closed source software firm) are 100% to the vendor keeping their technology out of their competitors hands. Closed source often makes it easier to make money on software where customers are unlikely to pay for support. That's it. That's the only benefit (but it's a big one), but the benefit exists only to the company selling access to the code. From the customers' perspective, every closed source product would be equal or better if opened.
-
@Dashrender said in Is Open Source Really So Much More Secure By Nature:
I guess I am currently looking at coding from a profitability POV. Open source seems to be much more difficult to make profitable.
This is generally the case and I made a video explaining that last night that is in the process of being edited. Should be up in a week or two. But that's unrelated to the discussion. True, essentially fact, but not a factor.
-
@Dashrender said in Is Open Source Really So Much More Secure By Nature:
mean I suppose you could use the same licenses MS has today on open source code, but how many people would still simply steal it?
Like they do with the closed source already?
-
@Dashrender said in Is Open Source Really So Much More Secure By Nature:
This was the argument of music companies... stealing became easier than buying. Only once the buying became easier than ripping did that really change.
Providing code does little to make it easier to steal software to use. When the question is about piracy, source isn't a factor. If Windows was open source, that wouldn't change piracy by even 1%. It might change copyright issues with competitors stealing code, but that's a totally different issue. But for end users stealing the product, it just doesn't play in.
-
@scottalanmiller said in Is Open Source Really So Much More Secure By Nature:
@Dashrender said in Is Open Source Really So Much More Secure By Nature:
This was the argument of music companies... stealing became easier than buying. Only once the buying became easier than ripping did that really change.
Providing code does little to make it easier to steal software to use. When the question is about piracy, source isn't a factor. If Windows was open source, that wouldn't change piracy by even 1%. It might change copyright issues with competitors stealing code, but that's a totally different issue. But for end users stealing the product, it just doesn't play in.
Theft is only done when there isn't a viable option. No one goes around thinking "what can I steal today" mentality. It's a I need this or that and am going to steal it for whatever their reason is.
-
@scottalanmiller said in Is Open Source Really So Much More Secure By Nature:
@Dashrender said in Is Open Source Really So Much More Secure By Nature:
I guess I am currently looking at coding from a profitability POV. Open source seems to be much more difficult to make profitable.
This is generally the case and I made a video explaining that last night that is in the process of being edited. Should be up in a week or two. But that's unrelated to the discussion. True, essentially fact, but not a factor.
Agreed, not a factor to the discussion at hand, but a reason we likely see so much closed source and will continue to do so.
-
@DustinB3403 said in Is Open Source Really So Much More Secure By Nature:
@scottalanmiller said in Is Open Source Really So Much More Secure By Nature:
@Dashrender said in Is Open Source Really So Much More Secure By Nature:
This was the argument of music companies... stealing became easier than buying. Only once the buying became easier than ripping did that really change.
Providing code does little to make it easier to steal software to use. When the question is about piracy, source isn't a factor. If Windows was open source, that wouldn't change piracy by even 1%. It might change copyright issues with competitors stealing code, but that's a totally different issue. But for end users stealing the product, it just doesn't play in.
Theft is only done when there isn't a viable option. No one goes around thinking "what can I steal today" mentality. It's a I need this or that and am going to steal it for whatever their reason is.
So I take it you don't consider paying for it a viable option, because presumably, that's almost always an option. Stealing music was worthwhile because buying CDs was expensive, and a PITA to rip by the masses, but using software like napster was as easy as using email, perhaps easier.
-
@Dashrender said in Is Open Source Really So Much More Secure By Nature:
@DustinB3403 said in Is Open Source Really So Much More Secure By Nature:
@scottalanmiller said in Is Open Source Really So Much More Secure By Nature:
@Dashrender said in Is Open Source Really So Much More Secure By Nature:
This was the argument of music companies... stealing became easier than buying. Only once the buying became easier than ripping did that really change.
Providing code does little to make it easier to steal software to use. When the question is about piracy, source isn't a factor. If Windows was open source, that wouldn't change piracy by even 1%. It might change copyright issues with competitors stealing code, but that's a totally different issue. But for end users stealing the product, it just doesn't play in.
Theft is only done when there isn't a viable option. No one goes around thinking "what can I steal today" mentality. It's a I need this or that and am going to steal it for whatever their reason is.
So I take it you don't consider paying for it a viable option, because presumably, that's almost always an option. Stealing music was worthwhile because buying CDs was expensive, and a PITA to rip by the masses, but using software like napster was as easy as using email, perhaps easier.
No I do consider paying for something viable - personally. Others may not for whatever their reasons are.
Please refrain from inferring things based on a conversation.
-
Here's something else to think about.
AFAIK, Windows & Office (closed) has many more people able to support & repair it compared to non (open) Windows & Office competitors.
Could this make Windows & Office more secure than Open alternatives, simply as it could be assumed that patches/fixes could be put in place more quickly, than on Open products?
As an example. Business X needs the latest MS security fixes put in place. They go search for someone who can do that. How many IT support places support Windows & how many support places support Linux?
Could a product be considered more secure simply because it can be supported by many more parties than it's rival?
Or another way to think about it, could a product that is created less secure, be considered more secure than a more secure alternative, simply because the support base for the less secure product is far greater than the more secure product?
-
@siringo said in Is Open Source Really So Much More Secure By Nature:
Here's something else to think about.
AFAIK, Windows & Office (closed) has many more people able to support & repair it compared to non (open) Windows & Office competitors.
Could this make Windows & Office more secure than Open alternatives, simply as it could be assumed that patches/fixes could be put in place more quickly, than on Open products?
As an example. Business X needs the latest MS security fixes put in place. They go search for someone who can do that. How many IT support places support Windows & how many support places support Linux?
Could a product be considered more secure simply because it can be supported by many more parties than it's rival?
Or another way to think about it, could a product that is created less secure, be considered more secure than a more secure alternative, simply because the support base for the less secure product is far greater than the more secure product?
You're making the assumption that the larger support base is competent as the smaller support base, which is questionable at best.
-
@travisdh1 said in Is Open Source Really So Much More Secure By Nature:
@siringo said in Is Open Source Really So Much More Secure By Nature:
Here's something else to think about.
AFAIK, Windows & Office (closed) has many more people able to support & repair it compared to non (open) Windows & Office competitors.
Could this make Windows & Office more secure than Open alternatives, simply as it could be assumed that patches/fixes could be put in place more quickly, than on Open products?
As an example. Business X needs the latest MS security fixes put in place. They go search for someone who can do that. How many IT support places support Windows & how many support places support Linux?
Could a product be considered more secure simply because it can be supported by many more parties than it's rival?
Or another way to think about it, could a product that is created less secure, be considered more secure than a more secure alternative, simply because the support base for the less secure product is far greater than the more secure product?
You're making the assumption that the larger support base is competent as the smaller support base, which is questionable at best.
Did you mean 'larger support base is as competent'?
Yep, I'm talking hypothetically actually, as in all things being equal. Just a point that I thought was interesting.
Could product A, which is considered less secure than product B, be considered more secure due to it having so many more people available to support it?
Think about it as both products, A & B are infected at the same time. Both are infecting your network at the same rate & speed & you need to get someone to fix the problem. Product A has 100 times more support people available to contact than product B. Does this make product A more secure than B simply because you can get it fixed more promptly than product B?
Just a conversation 'continuer'.
-
@siringo said in Is Open Source Really So Much More Secure By Nature:
@travisdh1 said in Is Open Source Really So Much More Secure By Nature:
@siringo said in Is Open Source Really So Much More Secure By Nature:
Here's something else to think about.
AFAIK, Windows & Office (closed) has many more people able to support & repair it compared to non (open) Windows & Office competitors.
Could this make Windows & Office more secure than Open alternatives, simply as it could be assumed that patches/fixes could be put in place more quickly, than on Open products?
As an example. Business X needs the latest MS security fixes put in place. They go search for someone who can do that. How many IT support places support Windows & how many support places support Linux?
Could a product be considered more secure simply because it can be supported by many more parties than it's rival?
Or another way to think about it, could a product that is created less secure, be considered more secure than a more secure alternative, simply because the support base for the less secure product is far greater than the more secure product?
You're making the assumption that the larger support base is competent as the smaller support base, which is questionable at best.
Did you mean 'larger support base is as competent'?
Yep, I'm talking hypothetically actually, as in all things being equal. Just a point that I thought was interesting.
Could product A, which is considered less secure than product B, be considered more secure due to it having so many more people available to support it?
Think about it as both products, A & B are infected at the same time. Both are infecting your network at the same rate & speed & you need to get someone to fix the problem. Product A has 100 times more support people available to contact than product B. Does this make product A more secure than B simply because you can get it fixed more promptly than product B?
Just a conversation 'continuer'.
No, I don't agree that it would make it more secure just because there are more numbers in the phonebook to call. As Travish is I assuming leading - more doesn't mean better. Hell, Scott and others will say that one Linux Admin is worth like 100 Windows admins.
-
@siringo said in Is Open Source Really So Much More Secure By Nature:
AFAIK, Windows & Office (closed) has many more people able to support & repair it compared to non (open) Windows & Office competitors.
This is the opposite of the general wisdom. This is actually a thing that I constantly teach - it's SO much easier to get competent support for Linux than for Windows. That Windows is almost impossible to filter through all the crap to find qualified support for is one of the biggest negatives of the ecosystem. It's actually one of the hardest products to get support for (not because it doesn't exist, but because it's such a tiny percentage of the people purporting to be Windows support people.)