Do you use open source software (OSS) such as Linux or Apache? If you do, you might be interested in what some industry insiders say about open-source code and security. On May 30, the Alexis de Tocqueville Institution (AdTI) released a white paper, "Opening the Open Source Debate," that discusses how OSS could present a serious national-security problem. According to a press release on the institution's Web site, the issue of using OSS becomes complex "particularly if federal agencies such as the Department of Defense or the Federal Aviation Administration use software that inherently requires that its blueprints, source code and architecture is made widely available to any person interested—without discretion." You can read about the matter at the press release link below. However, if you want to read the white paper, you'll have to fork over $5.95.
According to AdTI, the white paper "outlines how open source might facilitate efforts to disrupt or sabotage electronic commerce, air traffic control or even sensitive surveillance systems. Unlike proprietary software, open source software does not make the underlying code of a software confidential." Interestingly enough, AdTI reportedly receives funding from companies, such as Microsoft, who compete with OSS. The white paper's release comes not too long after military officials threatened to stop using Windows unless Microsoft does more to address the number of bugs in its code and changes the way it handles patches. The AdTI press release further states that computer systems form the backbone of US national security and that before "the Pentagon and other federal agencies make uninformed decision to alter the very foundation of computer security, they should study the potential consequences carefully."
What consequences? If OSS really is less secure than closed source software such as Windows, why can attackers discover new security problems in Windows and other Microsoft products almost weekly? I fail to understand the arguments AdTI outlines in the press release, but I do understand that obscurity gains very little computer security. It's never been proven that openly offering source code makes using that code more of a risk. In fact, statistics reflect about as many reported security vulnerabilities in the various Linux distributions as are reported in Windows. So the debate AdTI presents is beside the point because the question of security regarding open-source code has been playing out for years. Whether source code is open or closed isn't the issue. If anyone's software contains a security bug, attackers will eventually find it.
Sure, having source code makes finding security problems a bit easier, and attackers do pore over open-source code looking for problems—that's part of what open-source projects are about. Microsoft could probably improve the security of its code by making the source open to the public. But to date, the company isn't inclined to do that. Add to that situation the fact that Microsoft has angered loads of people through its aggressive marketing practices. Attackers have responded by working hard to discover and exploit security problems in Microsoft software—and, of course, they do that routinely without access to the source code.
Some of the most dangerous and expensive exploits ever launched (e.g., Melissa, Nimda, Code Red) have been propagated through the closed source Windows OS and through other Microsoft software. In fact, so many viruses and worms target Microsoft Outlook clients that I sometimes think that a company could reduce its overall security budget (and aspirin budget) by simply not using Outlook software. In USA TODAY, John Gilligan, Air Force chief information officer (CIO), argued that installing patches and fixes on Microsoft products actually costs the Air Force more than the products themselves.
A given software package's security level often depends on obtainable knowledge: Who can find out about an unpatched vulnerability? Debates about open source won't change that situation. Right now, government officials are considering exempting security vulnerability information—if it's reported to the government—from the Freedom of Information Act (FOIA). That's interesting, but by itself, that change in the law won't support better computer security unless people are required to report all vulnerabilities to the government first. Obviously, making that happen would require still other laws that would lead to significant changes in the way people use software in general. (For more information about the FOIA proposal, read the interview with presidential cybersecurity adviser Richard Clarke in CIO Magazine.
Microsoft's .NET model could help facilitate better security through automation, but that requires that people actually use Microsoft products. With the government balking at Microsoft's practices, the company has to do something before major customers (such as the US military) jump ship in favor of non-obscure open-source products for which public teamwork drives quality. The AdTI white paper might do more to hurt than help Microsoft's situation.