Open Source Software and Security Vulnerabilities

[urbanshops]

One of the key issues is that open source exposes the source code to examination by everyone, so more information is available for attackers!

Exposing the source code reveals the security holes and leaves the system vulnerable!

Large organisations using Open Source hire Security Experts to prevent attacks but what about SME's with low budget!

How can they keep the system secured?
Is it feasible for SMEs to go for Open Source Systems?

It is true that Open Source System costs a lot less to start with but what about site security?

 

[Adviza_insights]

In one sense you are right about the risks; but then there is a counter example that hackers tend to target more widely used platforms such as Microsoft, Cisco, oracle etc... and certainly there are no shortage of reported vulnerabilities in those commercial products.

Open source often tends to be treated as a bit less "establishment" by the security/hacking community and hence often vulnerabilities are reported to the support community rather than being publicised to make a point (responsible disclosure notwithstanding).

Its true that open source software can be scrutinised to identify security holes/weaknesses - this is a defence, but it takes a special type of person to want to validate security by going through lines and lines of code.

What is certainly true to say though is that irrespective of the provenance of software and platforms (proprietary/open source) the way it is configured, set up, operated and used often play a much bigger part than who wrote it and whether you can get to the source code.

A IIS implementation can be configured/set-up more or less securely than an apache one; and likewise with you can configured Windows to be more or less secure in the same way you can with Linux... and choose a bad password for any system and you'll find it liable to attack...

Piers

 

[agelleen]

So, wen can correct code ourself to provent hacks.

 

[ecenica]

How can they keep the system secured?

Engage with the open-source users. The culture of open-source means people are more forthcoming about offering advice without expecting payment.

Is it feasible for SMEs to go for Open Source Systems?

Yes.

It is true that Open Source System costs a lot less to start with but what about site security?

No. If you know what you're doing (see point 1) a well secured Linux server, with active firewall etc is as secure as a locked-down Windows IIS server. If site security is a concern, I recommend paying a trusted tech to help lock down your site/server - and of course take backups! Just in case...

 

[CraigieDD]

In one sense you are righ.......

....e to attack...

Piers

Well put. I think it pays to have an open (pardon the pun) mind when thinking of open source. I know of many not for profits who have done so much good by reallocating money towards their campaigns that would have gone on commercial CMS.

 

[Cohesive Computing]

There's usually much more to security than having locked down web servers, strong passwords and SSL. In the case of Microsoft, they have recently introduced the Security Development Lifecyle and automated tools for identifying vulnerabilities in source code.

Sometimes the security threats are of a non-technical nature e.g. fraudulent behaviour by customer - there should be a line of defense against this too.

One to watch out for is use of immature technology. Several years back I had noticed that the rush to AJAX enable public facing web applications was resulting in serious security vulnerabilites in them. Little effort was being made to secure AJAX traffic and calls could be easily spoofed and replayed.

 

[titanlee]

There is nothing wrong with using open source software. What *is* wrong is setting up a server poorly and not updating the software when vulnerabilities are discovered and patches or new versions released.

 

[Gord]

One of the key issues is that open source exposes the source code to examination by everyone, so more information is available for attackers!

Exposing the source code reveals the security holes and leaves the system vulnerable!

Large organisations using Open Source hire Security Experts to prevent attacks but what about SME's with low budget!

How can they keep the system secured?
Is it feasible for SMEs to go for Open Source Systems?

It is true that Open Source System costs a lot less to start with but what about site security?

This is an understandably common misconception.

In open source.
The bad guys get to inspect the code for vulnerabilities.
The good guys ( the informed users who have a vested interest in not being hacked ) get to inspect the code for security and inform/update.

In closed source
The bad guys get to inspect the code for vulnerabilities. ( Because they can ! )
The good guys are limited to the employees of the vendor.

I think this quote from Elias Levy best sums it up.

"So does all this mean Open Source Software is no better than closed source software when it comes to security vulnerabilities? No. Open Source Software certainly does have the potential to be more secure than its closed source counterpart. But make no mistake, simply being open source is no guarantee of security."
In other words, be sure to use software that is both well tried & tested & well supported.

 

[RedEvo]

Closed source = security by obscurity. Not a great plan.

d

 

[PMSToys]

I prefer the open source route. Basically, there's a community of people out there too numerous to mention (good guys) who actively look at the code make the developers aware and community in turn of potential issues. It then gets fixed.

This is great because it's not some proprietry (spelling?!) software released by a coporation that has PR to protect and so is very cloak and dagger over their code and potential exploits.

I think we can all probably think of a rather large global software company that is secretive over it's code and is constantly having to release updates (on THEIR schedule) to path security exploits.