Security from A to Z: Open source

Whether open-source software and closed-source software differ in terms of security will always be debated. But what's clear is that vulnerabilities are found and exploited in both.

Speaking at London's LinuxWorld conference in October, Alan Cox, a respected figure in the U.K. open-source community, warned about complacency over the security of open-source projects.

roundup
The A to Z of security

Read the first part in our rundown of hot security topics, from antivirus to zero-day threats.

Microsoft, leader of the closed-source world, makes more headlines than any other software maker when it comes to security. But that's because the company's products are used by nearly all PC users, not because Microsoft software has more vulnerabilities.

More attention is being paid to security of open-source software. The U.S. Department of Homeland Security even awarded a $1.24 million grant to Stanford University, Coverity and Symantec to hunt for security bugs in popular open-source programs.

Developers have been quick to fix many bugs found as part of the U.S. government-sponsored program. More than 900 flaws were repaired in the two weeks after Coverity announced the results of its first scan of 32 open-source projects, which include the Linux operating system, Apache Web server, MySQL database and Firefox Web browser.

[jabbotts]

obscurity is not security

"But that's because the company's products are used by nearly all PC users, not because Microsoft software has more vulnerabilities."

This is missleading in direct oposition to reality. Obscurity is not security. Your saying that Windows is not more vulnerable, it's jsut less obscure and as such, attacked more.

Until Vista (jurry ist still out on Vista) the very way in which Microsoft had developed it's software meant inherent vulnerabilities.

Internet Explorer (IE6, less so in IE7) being forceably imbeaded into the OS while still allowing JAVA, ActiveX and other network transfered program code to run at very low OS levels (users interact with a very high OS level normally) is a vulnerability of design not lack of obscurity.

Basing every version of Windows (win95 through to winXP) on all of it's previous versions software code (msDos at the very core of the onion) is an inherent vulnerability. Patches for winXPsr2 where still including fixes for old Dos flaws. Multiplying your software flaws by every major OS version you demand to be backward compatible with is a vulnerability not lack of obscurity.

Microsoft's development architecture for Dos through to WinXP is fundamentally insecure. Dos was a standalone OS; it was developed at a time when no one even considered connecting two machines together. It was meant to run on a lonely workstation that transfered files by floppy disk. Win95 was little better, win98 had more complete network support without any security. Again, every version of windows just get's wrapped around the previous like onion skins. You can't build a secure OS with a hollow core.

Microsoft insecurity is because of inherent vulnerabilitys and years of treating security as an afterthought, not because it runs on the majority of personal computers and, frighteningly enough, servers.

If anything, running on the majority of computers should result in the majority of user bug reports leading to a hardened system. Microsoft is profit driven however, not quality driven. And, being a grandpa proprietary software company, they spent many years earning there bad-will among the hacker community by ignoring and discounting any bug reports submitted by "outsiders".

As for Vista, we'll see. It won't be worth seriously considering until service pack one or two and in the mean time, it's not yet been put through it's pases by "intrusion analysts". It'll be pretty to be sure but the jurry's out still on the security effectiveness.