June 13, 2006 4:44 PM PDT

Trend Micro: Open source is more secure

Antivirus vendor Trend Micro is claiming that open-source software is inherently more secure than proprietary software such as Microsoft Windows.

Trend said one reason open-source software has fewer security issues is the variety of Linux distributions. Although they use the same kernel, if one distribution is compromised, the same piece of malicious software may not work on a different distribution, the company said Monday.

"Open source is more secure. Period," Raimund Genes, chief technical officer for anti-malware at Trend, said. "More people control the code base; they can react immediately to vulnerabilities; and open source doesn't have so much of a problem with legacy code because of the number of distributions."

Genes said open-source developers "openly talk about security," so patches are "immediate--as soon as something happens," whereas proprietary vendors with closed code have to rely purely on their own resources to push patches out.

However, Genes said Linux servers need to be hardened to make them "really secure," and that they cannot be used safely without altering the default security settings.

Mark Cox, security response team lead for Linux seller Red Hat, agreed that the Linux community shares security knowledge, but he said it was wrong to say Linux distributions are not secure out of the box.

"We always make sure we pass knowledge back upstream so everyone who uses the Linux kernel can benefit," Cox said. "Red Hat out of the box comes with default SELinux, a firewall...security is on by default, although it is possible to further harden it."

Cox was reluctant to compare the relative security merits of open-source and proprietary software but said Linux was affected by less critical vulnerabilities.

"Whether it's open source or closed source doesn't really make a difference--the issue is whether the software has been designed with security in mind," Cox said. "Ten years ago, Apache was designed to address buffer overflows and has been successful. It's harder to write a worm for Linux because there haven't been that many critical vulnerabilities found, and even those are harder to exploit because of the diversity" of distributions.

However, Cox also warned that past performance was no guarantee of future results, unless the open-source community develops technologies to stop future Linux vulnerabilities.

He said it is also important to develop metrics to measure security for both open and closed source software, including the security response times, transparency in disclosing vulnerabilities, and how fast patches are deployed.

Genes pointed out that Microsoft is beginning to address security issues in developing Vista, in part by restricting administrative access.

"Microsoft is on the right track. It's now promoting access control, which was introduced by Unix. No one thinks of running Unix in root," Genes said.

Tom Espiner of ZDNet UK reported from London.

See more CNET content tagged:
Raimund Genes, open source, Trend Micro Inc., Linux, Red Hat Inc.

7 comments

Join the conversation!
Add your comment
Then he should put his money where his mouth is
and release the source to his software. Otheriwse he's just making noise for the sake of hearing his own voice.
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
So, since...
... "It's harder to write a worm for Linux because there haven't been that many critical vulnerabilities found, and even those are harder to exploit because of the diversity" of distributions."; what percentage world market share does the total "diversity of distributions" (desktop) has when compared to Windows! Cash wise (since it will be all about the money)... what compelling reasons would I have to develop an applications for a "diversity of distributions" when I can develop applications that let "one size fits all"!
Posted by Captain_Spock (894 comments )
Reply Link Flag
You're Reading Too Much Into This
Ordinary applications don't try to exploit minutae in the OS, so they aren't affected by the variations to which the article refers. However, GUI-based applications are still less portable on *nix than on Windows.
Posted by c|net Reader (856 comments )
Link Flag
The "One vs the Many" Captain Spock
You wrote: "what compelling reasons would I have to develop an applications for a "diversity of distributions" when I can develop applications that let "one size fits all"!
Why?
Because:
A) you might want to write for a best of breed platform, and
B)You support interesting choices over a single (one size fits ALL) vendor world. And
C)You believe competition stimulates innovation far more than than little to none does.
Posted by technewsjunkie (1265 comments )
Link Flag
It's BS
There is no testing done on those community patches and they end up causing more trouble than there worth. Plus worms are not the issue anymore, it is botnets and targeted attacks and these are attacks against the Kernel. Another Vista feature is memory randomization which makes the system much less wormable. This dud head should do his homework before making remarks such as that. Perhaps he can go work for Oracle, and rekindle the "Unbreakable" marketing campaign.
Posted by CyclopsRooster (11 comments )
Reply Link Flag
This dud head should do his homework before making remarks
This dud head (refering to Mr Rooster) should do his homework before making remarks.

- memory randomization was first written into BSD Unix and has since been included in various linux distributions. Vista is still trying to catch up.

- how do you figure those nifty botnet apps get installed on the client machines? couldn't possibly have anything to do with worms I'm sure.

- *nix patches are tested by the community. if it doesn't work, someone else in the 1000 or so list of opensource contributors will fix it.

But let's not stop with your commentary. Which is a better approach to hardening a program be it OS, deamon or user app:

1. hundreds (no idea what the number is really) tight lipped programmers working overtime to meet constantly delayed release dates under the "good enough to ship, fix it later" aproach.

2. millions of programmers freely sharing information working on a common project as a volanteer labour of love on a system they personall want to see improved.

Hm.. 200'ish eyes reviewing a million lines of code trying to maintain compatability back to it's fetal stage. 2 million'ish eyes revewing code for short programs that combine on a common standard to result in a complete OS and app library.

I can code pretty good. I've complies some zingers in the past but just one code monkey alone does not equate to the sum of two code monkeys, or four, or eight, or sixteen.

Another example, the programs I wrote to appease an empending assignment due date in school where **** poor examples of my programming skill compaired to programs I wrote as hobby work and passtime.

The basic fact is that Microsoft has done so much to errode the trust of the computer world that it will always be the target of choice. Everyone wants a piece of the tallest guy on the basketball court. In the case of M$ it's a tall skinny malnurished rich kid that laughs and points obnoxiously anytime someone else get's hurt. If M$ can be teh cause of that hurt, so much the better.
Posted by jabbotts (492 comments )
Link Flag
Is Trend going open source?
I would assume this means Trend is going open source, else they are supporting being less secure.
Posted by CyclopsRooster (11 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.