Open source insecurities:
Get past the myths
Some users are still wary about
deploying software that isn’t based
on proprietary technologies. Experts
explain why threat protection goes
beyond code By Kathleen Lau
However, Senf noted support issues
have dramatically waned over the
last two years with the emergence of
industry heavyweights Novell, Sun
Microsystems and IBM into the field.
Industry experts acknowledge
that while the perception
exists that open source
software is less secure than its
proprietary counterparts, it’s
only a myth that one is less
robust than the other.
There is a degree of apprehension at first, said Jeff Williams,
CEO of Columbia, Md.-based
application security services
provider Aspect Security, and
volunteer chair of Open Web
Application Security Project
(OWASP), a free application
security community. “But if you
get a closed source application
from some small fly-by-night
company, how is that different
from getting some open source application from some fly-by-night developers?”
Howard Schmidt, former White
House cyber security advisor, agreed
the perception exists that open source
is more vulnerable to hackers who may
insert malicious code. “All of a sudden,
you have a new file with modifications
to it and some people say, ‘I don’t know
what’s in there, I’m concerned about it.’”
On the other hand, there is a certain
level of trust surrounding proprietary
software, in that people are
more confident that it won’t
harbour malignant code, he
said.
“It’s almost as difficult to
deal with as which political
party is right. The bottom line
is that perceptions don’t match
reality,” said Schmidt. “There’s
tremendous debate.”
Internal affairs
SChMIDT: Secure
coding practices
should be the
emphasis.
due diligence
The issue of security whittles
down to due diligence at the development
stage, rather than with issues in the code
itself, said Williams. “It shouldn’t be a
requirement of security that the source
code be secret. That’s really just security
by obscurity.”
He said both camps run the gamut
Canadian banks avoid open source
Despite the performance and price advantages offered by open source applications,
financial institutions in Canada remain hesitant to dive into non-proprietary solutions,
according to a recent survey.
In a poll of more than 1,600 IT managers in the U.S. and Canada, Info-Tech Research
Group found that Canadian firms, in general, are more likely open to using non-proprietary
software than their American counterparts.
The survey, however, revealed that Canadian financial institutions do not share this level
of confidence, according to the London-Ont-based consultancy firm.
About 60 per cent of Canadian businesses are willing to consider open source software
(OSS) compared to 40 per cent of American companies. Only 40 per cent of Canadian
financial services organizations support OSS use.
“Financial firms see OSS as products of acceptable value and a low cost alternative to
proprietary applications but not a killer app that will drive performance,” said Michelle
Warren, analyst for Info-Tech.
Another technology analyst, however, disagrees.
The local retail banking industry remains “neither bulls nor bears” mainly because of
migration issues, according to David Senf, manager of Canadian application development
and infrastructure software research for analyst firm IDC Canada.
“I don’t think performance or security is an issue, but rather, it’s the cost of moving from
a UNIX or mainframe base that’s causing some hesitation.”
from poorly-organized to well-run
development teams.
Software stemming from open or
closed source is subject to the same
level of scrutiny. However, the motive is
different, said Ronald O’Brien, senior
security analyst with Burlington, Mass.-based security software provider Sophos.
“By having it open to as many users
as possible, you get the benefit of the
community looking at it,” he said, adding
that Microsoft Corp., for instance, gets
scrutinized as well, but by those seeking
to prove its vulnerability.
Despite having a community that
bands together to ensure open source
remains stable, Schmidt said, seeking
vulnerabilities requires a particular
skill that a group of many eyes may not
necessarily possess. “Just by virtue of the
fact that there are literally thousands
and thousands of people looking over the
code on open source doesn’t mean that
they have the capability of identifying
vulnerabilities.”
But there do exist established processes solely for the purpose of allowing
the public to find flaws in software, be it
open or closed source, said O’Brien.
not just freeware
Furthermore, he said although big proprietary software vendors like Microsoft
invest more heavily in development, open
source isn’t exactly the freeware it’s often
made out to be, he said. “There’s still a
company responsible for marketing and
selling so it’s somewhat a misconception
that the open source software is free
because there are costs associated with
acquiring and managing open source
applications.”
If a company does have issues with
open source applications, these concerns
won’t take root in security, but rather
with support and the open source licensing model, said David Senf, director of
Canadian security and software research
with Toronto, Ont.-based analyst firm
IDC Canada.
According to O’Brien, the security risks
heighten when applications — regardless
of the code — are developed internally
for internal purposes. With internally-developed software, the issue of security
very often stems from developers who
don’t possess the skills to properly code
software, than it does from open source
itself, said Senf.
He said there is ample literature out
there that can provide in-house developers with techniques for building secure
code, including threat modeling to assess,
in advance of coding, the potential threats
that could affect users of the software. “It’s
knowing first what are things that can
compromise a piece of software.”
Threat modeling is especially vital if
the software is intended, for instance,
to tap into databases housing customer
information, he said. “Do I want to
expose that to potential data leakage?
Well, probably not.”
The industry should look to new
tools that can scan, analyze and reduce
vulnerabilities while code is being
written, regardless of open source or
commercial, agreed Schmidt. “That’s
where we need to be moving and not
saying one’s better than the other because they both have their own number
of flaws in it.” 076579
: long story short
Open source security whittles down to
due diligence at the development stage
The “many eyeballs” theory doesn’t
mean open source bugs will be caught
Most open source concerns stem from
support and licensing, not security
Internally-developed applications may
lack the safeguards of public projects
