Open source software (OSS) is not impenetrable, and will likely be an increasing target of hackers if it grows in adoption, said a security expert.
Speaking at a briefing Wednesday, Rohit Dhamankar, director of security research, DVLabs at TippingPoint, said computer criminals tend to work for profit gain and will attack widely-deployed software to gain access to more terminals easily.
But he noted that OSS is a harder target to attack, because of the speed at which bugs get patched. The visibility of code and mass participative nature of open source development helps bugs get discovered faster.
And since zero-day attacks are the most commonly used method, closing holes faster thwarts the spread of such malware, said Dhamankar. Zero-day malware attacks vulnerabilities that are yet to be patched by the manufacturer.
Low Chee Juee, technical consultant, systems engineering (pre-sales) at Symantec Singapore, told ZDNet Asia it all comes down to how widely adopted a particular piece of software is.
"Regardless of whether the targeted technology is OSS, perpetrators tend to focus their efforts on targets that will give them greater bang for their buck," said Low in an e-mail interview.
Low added that OSS may not necessarily be more secure compared to closed source choices, because of ownership. The vendor selling proprietary software is directly responsible for product quality and hence has a vested interest in ensuring timely product fixes, he said.
"Commercial software benefits from dedicated IT staff who are invested in ensuring product quality, as well as ongoing feature enhancements and maintenance," noted Low.
Low offered the examples of closed source and open source Web browsers, as well as a contrast between the smaller browser companies and larger software houses.
According to Symantec data, 99 vulnerability exploits were found in open source Mozilla Firefox, compared to 47 in Microsoft Internet Explorer. Firefox's market share has been growing steadily over the past year.
However, Low said that the bigger vendors, Microsoft and Apple, have been notably slower to patch vulnerabilities found compared to smaller, independent Opera and open source Firefox. The window of exposure for Apple Safari was 9 days and Internet Explorer 7 days.
Firefox's window was less than a day, and Opera's was one day. "This may be due to the possibility that vendors whose main product is a Web browser do not have to spread their security response efforts across multiple, disparate products, and can instead focus on the browser.
"Comparably, major operating system vendors typically have to coordinate security response efforts across a larger number of unpatched vulnerabilities affecting a more diverse product portfolio and organization," he said.
This notion of mass participation within the OSS development community helping to ensure bugs are squashed quickly is not new.
It has been an idea espoused by both open source fans and technology vendors.
A Gartner report from last year also detailed that OSS has "fewer vulnerabilities" than closed source counterparts, and attributed this to visibility into the code.
But an Ovum analyst said earlier this year that companies shouldn't assume OSS is more secure than proprietary software, but that the two are "on par" from a security standpoint.
He explained that it is not possible to say every application is safe, among the 300,000 projects in the OSS universe.
Play video
OSS attacks will grow with adoption
The article fails to take into account Linux distributions that proactively defend against zero-day attacks using various technological measure such as: selinux mandatory access control, data hardening, compile-time buffer checks, restricted kernel memory access, stack smash protection, buffer overflow detection, and variable reordering. For example, Fedora Linux includes all of the zero-day protections. These technologies prevent most zero-day exposures from being exploited effectively until they can be corrected (about a day, as the article noted). If security is a concern, then people should look at those Linux distributions that are hardened and offer the infrastructure to respond quickly.
Posted by Mace Moneta on Thursday, May 21 2009 04:52 AM