Ranjeet Walunj

February 12, 2009

Argument: Is open source software secure enough ?

I’ve heard this argument by many microsoft/closed source technology evangelist that Open Source softwares are not secure enough.

And any one can easily find the flaw in the software and use it for his benefit.

This week there was an argument on slashdot about the same.

According to the Linus’s Law, “given enough eyeballs, all bugs are shallow”. More formally: “Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix will be obvious to someone.” — this rule was formulated by ESR (Eric S. Raymond).

Open Source due to its very own nature of revealing all catches attention of all users/hackers/programmers across the world using that software. (Pls Note: Hackers always have good intentions.)

The source code is validated by many learned people and if any flaw is found it is quickly reported and fixed.
If a certain OSS is subject to vulnerability continuously then it looses its charm and people quickly migrate to more secure alternatives.
(For example: Most of the new installations of mail servers are based on qmail/postfix rather than Sendmail)

In case of closed source (for e.g. windows) it takes long time to report flaw and much longer to fix it.

I dont hate microsoft, infact i use windows XP for most of my day job and happy with it. But I feel much flexibility with my linux. Most importantly if something is going wrong I know where to check and what could be the reasons. (syslogs are also great friend)

But talking about security NO OSS is less secure than any closed source software just because it is open in nature or for that matter any other reason.

Lots of learned independent developers/testers/reviewers have gone through the codes/designs/outcomes of the OSS and have contributed to the security threats/bugs/potential problems.

Collective intelligence (worldwide) is always superior to a closed group of people.

As someone suggested it is easy to experience than arguing over this.

Best is to deploy for yourself and run weekly penetrative testing to see the possible results.

There is no security from stupid actions of users/administrators, however assuming security by obfuscation/closed source is nothing bu stupidity.

I’ve been personally using OSS for years now and absolutely happy with the way it has helped me in learning things.

Blog at WordPress.com.