Is Open Source Really More Secure?

In this article we'll discuss the claim made by proponents of open source software that such software is more secure. Is open source really inherently more secure than closed source commercial software? If so, why? And if not, why do so many have that perception?

The debate surrounding which is best, open source (often free) software or closed source commercial software, continues to rage. Proponents of open source claim that it not only saves money, but is also inherently more secure. The first claim might seem to be a given (although once you factor in learning curve, administrative overhead and support – or lack thereof – “free” software doesn’t always have as much of a TCO advantage as it would seem). The second claim is what we’ll discuss in this article. Is open source really inherently more secure than closed source commercial software? If so, why? And if not, why do so many have that perception?

What is Open Source, Anyway?

Before we can intelligently discuss the differences between open source and proprietary software, we need to clarify what the term really means. Many people equate “open source” with “free of charge,” but that’s not necessarily the case. Open source code can be – and is – the basis for products such as RedHat and dozens of other commercial distributions of Linux that range in cost from a few dollars to a few thousand (RedHat Enterprise Linux premium edition lists at $2499 for Intel x86, up to $18,000 for IBM S/390).

“Open source” also does not mean “unlicensed.” In fact, there are a whole slew of licenses under which open source software is distributed. Some of the most popular include GPL (the GNU Public License), BSD, and the Mozilla Public License. The Open Source Initiative (OSI), a non-profit corporation, has developed a certification process for licenses. You can see a list of open source licenses approved by OSI at http://opensource.org/licenses/.

The name itself tells the story: open source software means the source code (the programming often written in C, C++ or even assembler language) is available to anyone who wants it, and can be examined, changed and used to write additional programming. This is in contrast to “closed” or proprietary software such as Microsoft Windows, for which the source code is a closely guarded trade secret (except when it’s leaked to the public).

When Closed Source Comes Open

Which brings us to recent events: in early February, it was reported that part of the source code for Windows NT 4.0 and Windows 2000 had been leaked to the Internet. Files containing the code were posted to a number of P2P sites and were being eagerly downloaded. The available code comprised only a small portion of the entire code base for the operating systems, but the incident caused a great deal of consternation, both at Redmond and within the IT community.

Microsoft was understandably concerned about its intellectual property rights, but IT pundits played up the security angle. Many unnamed (and some named) “security experts” were quoted as saying the leaks of the source code present a serious security issue, and that hackers could use the information to launch new and improved attacks against the Windows operating systems.

Does This Mean Open Source is Less Secure?

These claims must seem confusing to those who have been listening to open source proponents, who for years have told us that their software is more secure precisely because the source code is readily available to everyone. If having the code “out there” makes Linux more secure, why would the same thing make Windows less secure?

Of course, Microsoft has always taken the opposite stance. During the anti-trust trials, they argued vehemently against the court’s proposed remedy of disclosing their source code based on the security risks of doing so.

Who’s right, then? All other issues aside, what are the security advantages and disadvantages of open source vs. proprietary software? Let’s take a look.

Security Through Obscurity

Vendors of proprietary software say keeping the source code closed makes their product more secure. This reasoning is based on logic; certainly you don’t want to advertise what goodies you have in your house and where they’re located to the neighborhood burglars.

Open source advocates counter that this is merely a form of “security through obscurity,” a concept that’s generally dismissed as ineffective in the IT community. And certainly, by itself it won’t protect you, as a homeowner or as a software vendor. Merely keeping quiet about your possessions might make it less likely that thieves will target you, but you’d be foolish to leave your doors unlocked at night just because you haven’t distributed information about what you own.

Keeping the source code closed might deter some hackers, but the large number of successful attacks against Windows and other proprietary software proves that it certainly doesn’t provide any kind of high level of security.

Speaking of the high rate of attacks against Windows, open sourcers often point to that as “proof” that their software is more secure. However, number of attacks doesn’t prove anything except that Windows is a more popular target. If 90% of the people in the neighborhood put their valuables in a particular brand of safe, the smart burglar is going to spend his time learning to crack that type of safe. The other 10% might use a brand that’s or equal or inferior quality, but they might be successfully attacked less often simply because the product they use is not as ubiquitous.

If you were a hacker, and the majority of systems you encountered ran Windows while a smaller number run a different OS, which one would you prefer to develop attacks and viruses for? Open source proponents are fond of “facts” that show more Windows machines are compromised, more Windows based Web sites are defaced, etc. But in fact, a lower attack rate that’s due to a smaller installed base is just one more form of security through obscurity.

Security Advantages – and Disadvantages – of Open Source

Those in favor of open source say that because everyone has access to the code, bugs and vulnerabilities are found more quickly and thus are fixed more quickly, closing up security holes faster. They also point out that any and everyone is free to create a better, more secure version of the software.

Those on the other side maintain that a closed system in which only trusted insiders debug the code makes it less likely that discovered vulnerabilities will be exploited before they can be patched.

They also point out that there are many reasons (in addition to market share) that are unrelated to the technical security of the software but that can account for a larger number of attacks against proprietary software. One is the nature of the “OS wars” – because open source software has traditionally been more difficult to use, those who gravitate toward it tend to be more technically savvy. The larger number of self-proclaimed hackers who are pro-open source and anti-Microsoft means there are more people out there with the motive and the means to write malicious code targeting Windows systems.

Of course, the open source people can respond that the very fact that Microsoft has more “enemies” makes their software inherently less secure because so many are trying to bring it down.

What’s the Answer?

It’s obvious that you can use both statistics and logic to support either side of the argument. Our discussion started off by asking whether open source software is inherently more secure than proprietary software. That is, does opening the source code in itself make it more secure?

Consideration of the facts makes it obvious that having the code available has both advantages and disadvantages in terms of security. Vulnerabilities may be found – and exploited, if they’re found by the wrong people – more easily, but they may also be fixed – if they’re found by the right people – more quickly. There are many factors that affect the security of an operating system or application, from the code level to the user level. Whether or not the source code is open is probably one of the least important factors.