- Related Stories
-
Microsoft shakes up security fray
June 7, 2006 -
Sample virus targets Windows and Linux
April 7, 2006 -
Developers fast to fix open-source bugs
April 4, 2006 -
Trend Micro fights spam based on reputation
July 19, 2005 -
Trend Micro launches anti-spyware trio
June 19, 2005
Trend said one reason open-source software has fewer security issues is the variety of Linux distributions. Although they use the same kernel, if one distribution is compromised, the same piece of malicious software may not work on a different distribution, the company said Monday.
"Open source is more secure. Period," Raimund Genes, chief technical officer for anti-malware at Trend, said. "More people control the code base; they can react immediately to vulnerabilities; and open source doesn't have so much of a problem with legacy code because of the number of distributions."
Genes said open-source developers "openly talk about security," so patches are "immediate--as soon as something happens," whereas proprietary vendors with closed code have to rely purely on their own resources to push patches out.
However, Genes said Linux servers need to be hardened to make them "really secure," and that they cannot be used safely without altering the default security settings.
Mark Cox, security response team lead for Linux seller Red Hat, agreed that the Linux community shares security knowledge, but he said it was wrong to say Linux distributions are not secure out of the box.
"We always make sure we pass knowledge back upstream so everyone who uses the Linux kernel can benefit," Cox said. "Red Hat out of the box comes with default SELinux, a firewall...security is on by default, although it is possible to further harden it."
Cox was reluctant to compare the relative security merits of open-source and proprietary software but said Linux was affected by less critical vulnerabilities.
"Whether it's open source or closed source doesn't really make a difference--the issue is whether the software has been designed with security in mind," Cox said. "Ten years ago, Apache was designed to address buffer overflows and has been successful. It's harder to write a worm for Linux because there haven't been that many critical vulnerabilities found, and even those are harder to exploit because of the diversity" of distributions.
However, Cox also warned that past performance was no guarantee of future results, unless the open-source community develops technologies to stop future Linux vulnerabilities.
He said it is also important to develop metrics to measure security for both open and closed source software, including the security response times, transparency in disclosing vulnerabilities, and how fast patches are deployed.
Genes pointed out that Microsoft is beginning to address security issues in developing Vista, in part by restricting administrative access.
"Microsoft is on the right track. It's now promoting access control, which was introduced by Unix. No one thinks of running Unix in root," Genes said.
Tom Espiner of ZDNet UK reported from London.
See more CNET content tagged:
Raimund Genes, Trend Micro Inc., open source, Linux, Red Hat Inc.
Why?
Because:
A) you might want to write for a best of breed platform, and
B)You support interesting choices over a single (one size fits ALL) vendor world. And
C)You believe competition stimulates innovation far more than than little to none does.
- memory randomization was first written into BSD Unix and has since been included in various linux distributions. Vista is still trying to catch up.
- how do you figure those nifty botnet apps get installed on the client machines? couldn't possibly have anything to do with worms I'm sure.
- *nix patches are tested by the community. if it doesn't work, someone else in the 1000 or so list of opensource contributors will fix it.
But let's not stop with your commentary. Which is a better approach to hardening a program be it OS, deamon or user app:
1. hundreds (no idea what the number is really) tight lipped programmers working overtime to meet constantly delayed release dates under the "good enough to ship, fix it later" aproach.
2. millions of programmers freely sharing information working on a common project as a volanteer labour of love on a system they personall want to see improved.
Hm.. 200'ish eyes reviewing a million lines of code trying to maintain compatability back to it's fetal stage. 2 million'ish eyes revewing code for short programs that combine on a common standard to result in a complete OS and app library.
I can code pretty good. I've complies some zingers in the past but just one code monkey alone does not equate to the sum of two code monkeys, or four, or eight, or sixteen.
Another example, the programs I wrote to appease an empending assignment due date in school where **** poor examples of my programming skill compaired to programs I wrote as hobby work and passtime.
The basic fact is that Microsoft has done so much to errode the trust of the computer world that it will always be the target of choice. Everyone wants a piece of the tallest guy on the basketball court. In the case of M$ it's a tall skinny malnurished rich kid that laughs and points obnoxiously anytime someone else get's hurt. If M$ can be teh cause of that hurt, so much the better.
- Is Trend going open source?
- by CyclopsRooster June 14, 2006 2:20 PM PDT
- I would assume this means Trend is going open source, else they are supporting being less secure.
- Like this Reply to this comment
-
(7 Comments)