Open Source is Inherently More Secure, Says Red Hat
At the Red Hat Summit in Boston last week, Josh Bressers, a senior security engineer at Red Hat, explained why open source really is the best model for building secure software.
"We don't have clothes on," said Bressers.
He didn't mean that they sit around Red Hat central naked - let's hope that's not what he meant. No, what Bressers meant was that in the open source world everything is visible.
"We have no secrets," he said. "We can't sneak a security patch in. You can just look at the source code."
But in the closed source world, you have to trust your vendor completely. All you get to see are binaries, so you have no way of knowing how they were built. President Reagan was fond of saying to Soviet leader Mikhail Gorbachev, "Trust, but verify." With proprietary software, you simply have to trust.
Microsoft, for example, pushes out security updates on the second Tuesday of every month. Bressers said they can't do that. Microsoft has the advantage of hiding security flaws and working on them at their leisure, but with open source software, that's not possible because everyone can see that there's a problem and they expect it to be fixed right away.
And if a security hole isn't plugged quickly enough, you can fix it yourself, Bressers explained.
An example of the power of open source is the ping of death bug. Back in the late 1990s someone figured out that if you send a giant ICMP packet to a computer, just about any computer, it will crash. The bug affected every operating system, routers, printers, etc. When the problem was discovered, the open source Linux operating system had the bug squashed in about 2 hours, Bressers recalled. The closed source operating system vendors, however, took days, weeks and even months to make and distribute a patch for the ping of death.
Being open and transparent is a powerful motivator to write quality software and to fix the inevitable bugs that arise, but another driving force that the open source community has that proprietary software doesn't, is strength in numbers.
If you think about all of the software that goes into building a Linux distribution such as Red Hat, the number of developers is astounding. And it's not just developers who are involved in the process. There are packagers, users and companies, such as Red Hat, and volunteers at Debian all looking at the code and reporting bugs.
Linus Torvalds' law is, "Given enough eyeballs, all bugs are shallow."
Bressers said that Red Hat, Debian, SuSE and other organizations work well together on security issues. If Debian sees a bug in our code, he said they tell us because they know that bad press for any open source project is bad for everyone.
Open source is a community. It may be a loosely knit community, but it's a community.
And in the open source world, there is no place to hide. The emperor wears no clothes, the source code is there for anyone to look at and there are thousands of people looking at it every day.
"That's why open source software doesn't suck," Bressers said. "We have no secrets."
Keith Vance is a software engineer and a journalist. He's been developing Web applications professionally since 1997, and he received his journalism degree from the University of Washington in 2008.