Login | Register   
RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX

By submitting your information, you agree that devx.com may send you DevX offers via email, phone and text message, as well as email offers about other products and services that DevX believes may be of interest to you. DevX will process your information in accordance with the Quinstreet Privacy Policy.


Open Source and Security: Letters to the Editor : Page 5

Scores of readers responded angrily to our featured opinion last week, "Open Source Is Fertile Ground for Foul Play." See a sampling from our mail bag.




Application Security Testing: An Integral Part of DevOps

In his article, "Open Source Is Fertile Ground for Foul Play," Russell Jones seems to have missed the whole point of open source. That is quite simply that open source is open. Not only is the code freely distributed, it is also freely discussed on the Internet. In addition to possible criminal penalties, anyone who is discovered to have deliberately submitted malicious code to an open source project will certainly be discussed at length and dismissed from any projects they've joined. The programmer who did such a thing would be committing social and professional suicide.

On the other hand, closed source programs are obviously dangerous. To give a real world example, we just learned that Microsoft sat on a security vulnerability for six months. This would simply be impossible in the open source world, which usually issues patches within 48 hours. Worse, consider the TimeLine license issue:

This article demonstrates that closed source is very dangerous. If the TimeLine software had been distributed under a truly open license it could be used without fear of legal entanglements. There's probably no need to mention worms, virii, Trojans, adware, or closed source software that phones home.

In addition to committing professional suicide, such a criminal might be indicted for any of several crimes, ranging from "unlawful access" to treason.
Mr. Jones should also note that most open source projects have only a few members who are actually allowed to commit patches to the source tree, and most of these alpha-geeks carefully read all the submissions they receive. This means, of course, that open source projects are not as vulnerable as Mr. Jones imagines them to be. Someone has authority and actually reads the code before committing it.

Mr. Jones might also consider that obvious fact that anyone who wants to use open source code for an important project is fully capable of auditing that code to whatever depth pleases them, something they can't do with code from Microsoft or Sun. Sure, some clueless criminal who hasn't considered the issue can try giving a malicious open source package to government, but what happens when that government has their programmers look the package over for Trojans? In addition to committing professional suicide, such a criminal might be indicted for any of several crimes, ranging from "unlawful access" to treason.

Further, when it comes to examining code, let's actually look at some real numbers. Imagine an organization purchasing MS Office Pro and XP for a thousand users. Even with volume discounts, they can expect to pay around half a million dollars for the privilege. Or, they can install Linux and OpenOffice for free, hire one programmer to add custom features and another to inspect the open source code for vulnerabilities. Total cost, perhaps $200,000 dollars. In other words, that organization can get free software, a year of code auditing, and a year of customization for less than half what it costs to buy a Windows solution. Go to India and you can get 10 programmers for a year for that same price.

As Mr. Jones notes, an inside job is possible, but this is an extremely weak argument. The sysadmin for any organization can install back doors, keystroke loggers, Trojans, malware and virii, and it doesn't matter what brand of software is being run. It's also important to remember that 90 percent of the programmers out there don't work for software manufacturers, either open or closed. They work creating and maintaining some big company's custom codebase. These programmers have the capability, and possibly even the motivation, to create malicious code. Once again, it doesn't matter what operating system is being used.

Lastly, Mr. Jones' comparison of Windows and Linux security vulnerabilities is deeply flawed. Let's examine the site he recommends, and compare Redhat 9:
to Windows XP professional:

Editor's Note: The Secunia link was not included in the original submission by Dr. Jones. It was added in post-editing by me. Links to other third-party vulnerability data should have been included. These have recently been added to the original article.—Lori Piquet

Someone who doesn't understand the way Linux is packaged and delivered might take look at the data and assume that Windows, with only 34 security advisories in 2003, was a better operating system than RedHat, with 72 security advisories, but to someone with even a tyro's knowledge of Linux, the Secunia data is deeply flawed. Let's take a look at the man behind the curtain.

Windows XP comes on one CD. It includes only the core operating system, a few games, some small, but useful programs, and the two most insecure programs on the planet—Outlook Express and Internet Explorer, adding up to a total of perhaps 300 executable programs. But on the list Mr. Jones recommends, the vulnerabilities for IE and Outlook aren't listed. Merely adding the 2003 vulnerabilities for these two programs would make the list of Windows security problems larger than the list for RedHat. Oops. The list Jones suggested your readers peruse is dishonest.

But it gets worse. Redhat 9 comes on four CDs, and contains somewhere in the neighborhood of 1,500 separate executable programs, and the vulnerabilities for all of these programs are listed. For example, we see two different mail servers, sendmail and squirrelmail, on the Secunia list. No real-life server installation would contain more than one mail serving program. The same is true of CUPS and LPR, which are two listed printer daemons. We also see several other server programs listed, including samba, PHP, Apache (listed as httpd,) PostGreSQL and iproute. There are also several userspace programs on the list, such as Eye of Gnome, PAN, unzip, Ghostscript, Netscape, XPDF, tcpdump, up2date, etc., listed in the Redhat section.

In other words, Secunia is comparing a completely bare Windows XP box to a Linux box, which is fully loaded with both server and userspace programs.

To make the comparison fair, you'd have to add around a thousand programs to the Windows box. First, install gobs of server software, all of it on the same machine. Use programs such as Microsoft SQL, Exchange Server, IIS, ASP Server, two different network printing programs, etc. Then install a bunch of userspace software such as WinZip, Adobe Acrobat, IE, Outlook and Eudora, and then include a bunch of utilities not normally found on Windows machines. Now make the comparison. It doesn't look nearly so good, does it? In fact, the RedHat box is much more secure. Go a step further and consider that it takes Microsoft months to patch a vulnerable piece of software, while the open source community usually patches within 48 hours.

Now let's do some math. Divide the 34 Windows vulnerabilities into 300 programs. We end up with one vulnerability for every 8.8 programs on the Windows install disk. Now divide the 72 Linux vulnerabilities into the 1,500 executable programs on the Linux install disks. RedHat 9 has one vulnerability for every 20.8 programs. In other words, Windows is 2.3 times as insecure as Linux.

So there it is. Jones doesn't understand the way Linux is distributed well enough to interpret the Secunia data, he didn't consider the financial numbers, and he clearly doesn't understand the open source culture. Why a knowledgeable reader would take his piece seriously is beyond me.

Alex Roston

Comment and Contribute






(Maximum characters: 1200). You have 1200 characters left.



Thanks for your registration, follow us on our social networks to keep up-to-date