is open source more secure ?

Hi Guys,

I'd like to know your opinion. A friend of mine claims, an open source OS like linux is more secure than a closed one like AIX because 'if he is hacked, he can do countermeasures'.

I believe the opposite is the case - it's more secure if not everybody knows the kernel and is able to manipulate it.

What do you think? - and why

Kind regards
zxmaus

pro's and con's either way...

open source mean anyone can find and patch the bugs, but also anyone can find and exploit bugs.

I feel that often open source is more secure simple because patches usually come out faster if a bug is found. (but this is not always the case.)

at the end of the day security is more about you and your habits then what OS you are using.

don't open ports you don't need.
don't run services you don't need.
keep passwords strong.
do patching often.

Both yes and no. On the one hand since a lot of people can take a look at the source it's harder to intentionally introduce malicious code. On the other hand, a lot of projects have no formalized security tests and rely on software that checks for certain patterns in the code that could introduce flaws.

The best example is the OpenSSL bug introduced in Debian because Valgrind reported uninitalized memory. The alledged "fix" reduced the overall randomness of the system because the coder and reviewers didn't see all the implications.

I agree with the replies.

It is too simple to make a sweeping generalization "open source is more secure" or "open source is less secure".

So, anyone who believes either statement, yes or no, is both right and wrong, because the statement is too general and therefore meaningless

Even the term "security" has no real meaning. In discussing IT security you must discuss risk, and to discuss risk you must think in terms of vulnerability, threat and impact.

For example, an open source system turned on and sitting in your closet without a connection to the Internet may be more secure that the most expensive closed source system on the Internet :smiley:

In other words, there are security experts born every minute, it seems, and very few understand what they are actually taking about. If you understood security and risk management, you could not answer such a simple question as "is open source more or less secure?" because this question has no context and just lends to endless, meaningless debates by people who do not understand the nature of IT security and risk management.

I agree with Neo. I'd like to split the matter into two distinct parts, a theoretical and a practical one.

Even theoretically-only spoken the matter of closed-source versus open-source remains complicated. A possible advantage of open-source is the peer-review process which can take place. But to capitalize on this advantage this process has to take place at all, which is in no way guaranteed by something being open-source at all.

A possible advantage of closed-source software would be the "security by obscurity" approach. Experience suggests that this is not a (lasting) security measure at all and in the case of compromised security there is a single possible source able to provide corrective services, whereas open-source software could be changed by everybody in theory, which still leaves a lot of possible authors of corrections in practice.

Approaching the problem on a practical level it has to be stated that "security" is - like "performance" for that matter - a relative term and cannot be used absolutely. There is some value of x you want to protect and there is some estimated effort of y needed to overcome your security measures. If x is (much) bigger than y you have a security problem, otherwise you haven't.

To appraise your security status simply put yourself into the place of the intruder: will it possibly pay off to overcome your defenses? Act, if the answer is "yes" or near there, otherwise don't bother.

It is similar to what i have countlessly told executives in meetings regarding "performance": you have some demand, which can be measured (in seconds, transactions completed, kilobytes, whatever) and there is a system having to meet the demand. It comes down to "does the system meet the specified demand - yes/no?" Performance is not being "fast" but "fast enough".

The same is true for security: what you protect and the efforts for protecting it have to be in proportion and the question is not "safe" but "safe enough".

bakunin

I would also like to add that, at least for me personally and speaking in sweeping generalities which I don't like to do; I feel less secure with "closed code" than "open code".

For me, I can easily trust what I can see. I can search open code more easily (and look for problems) than I can search a binary or encrypted code like encrypted PHP (which I cannot search at all).

Recently, I refused to install encrypted PHP on a web site for that exact reason. I do not trust code I cannot see and see no reason to install encrypted PHP code when I can find open alternatives.

As I mentioned before, I don't normally like to respond to generalizations without context, so I am simply providing my personal opinion, and that is that I (my personal opinion) feel more secure when I can examine the code, grep it, search it, add debug statements, etc.

I would have to dis-agree with this point of yours. If you make security relative to the sensitivity of information, you are basically saying to someone that wants sensitive information that this system is holding very sensitive information, and this is not, due to your system security change.

If you suddenly upgrade your security systems and i know you use the methodology above, then you have just made users aware that you now have something sensitive that you do not want others to get. On the other hand however, if you ALWAYS have as-secure a system as possible, no matter what is on there, you don't suddenly "change habits" and make it obvious you are trying to hide something, other then everything.