From Fedora Project Wiki

< FWN‎ | Beats

Line 6: Line 6:
 
Contributing Writer: [[JoshBressers]]
 
Contributing Writer: [[JoshBressers]]
  
=== Is Open Source Software Secure? ===
+
=== Open Source Security ===
This week there was a story posted to Slashdot titled '''How To Argue That Open Source Software Is Secure?'''<ref>http://it.slashdot.org/article.pl?sid=09/02/11/007216</ref>.  Quoting the post:
+
One of the dead horses that various security folks like to beat is claiming that Open Source software is less secure because anyone can look at it and analyse its security weaknesses. So what happens when a system should be closed, but is suddenly broken open?
<pre>
+
'''Marine One Data Breech'''<ref>http://news.cnet.com/8301-1009_3-10184558-83.html</ref>
... saying that they were warned that they are dangerously insecure because they run open source
 
operating systems or software, because 'anyone can read the code and hack you with ease.'
 
</pre>
 
  
This issue seems to keep coming up from time to time. This argument is of course silly and one of those "Prove it ... you can't? So it's true!"  There is no way to prove that a piece of closed source software is more or less secure than a given piece of Open Source Software. If you can't see the source, you can't be certain that the vendor did or didn't fix issues.  You need to unconditionally trust your vendor.  If the source code is wide open for anyone to see, it keeps the vendor honest. You can't sweep issues under a transparent rug. You can try, and maybe hide a few piles of dust, but the really scary piles of dirt will stick out like sore thumbs.
+
It seems that Iran (the country), may have acquired sensitive information about the helicopter the President of the United States uses. When you're an organization with virtually limitless resources, the easy solution here is probably to just get a different helicopter, but suppose something similar happens to a piece of closed source software. Now you're at an elevated level of risk because people <strong>haven't</strong> been analysing your source code for weakness. Any good security system should still hold up even if complete details are made public. By purposely putting the source in public view, Open Source software has a very real advantage over a similar system that relies on obscurity as a feature.
 
 
The issue at hand isn't is application A more secure than application B, but do you trust vendor A more than vendor B?
 
  
 
<references/>
 
<references/>

Revision as of 18:04, 1 March 2009

Security Week

In this section, we highlight the security stories from the week in Fedora.

Contributing Writer: JoshBressers

Open Source Security

One of the dead horses that various security folks like to beat is claiming that Open Source software is less secure because anyone can look at it and analyse its security weaknesses. So what happens when a system should be closed, but is suddenly broken open? Marine One Data Breech[1]

It seems that Iran (the country), may have acquired sensitive information about the helicopter the President of the United States uses. When you're an organization with virtually limitless resources, the easy solution here is probably to just get a different helicopter, but suppose something similar happens to a piece of closed source software. Now you're at an elevated level of risk because people haven't been analysing your source code for weakness. Any good security system should still hold up even if complete details are made public. By purposely putting the source in public view, Open Source software has a very real advantage over a similar system that relies on obscurity as a feature.