YOUR FEEDBACK
Three RIA Platforms Compared: Adobe Flex, Google Web Toolkit, and OpenLaszlo
NN wrote: Yeah you are right GWT is poor man's Flex. After using GWT on two...
May. 12, 2008 04:50 AM
SOA World Conference
Virtualization Conference
$200 Savings Expire May 16, 2008... – Register Today!
Did you read today's front page stories & breaking news?
SYS-CON.TV: Eclipse Adds SOA, AJAX, and Flex Tools. Guests Mike Milinkovich and Mike Tylor

SYS-CON.TV
SYS-CON.TV WEBCASTS
JACKBE The Big A(architecture in AJAX)
INSTANTIATIONS Eclipse Rich Internet Platform with Taylor and Milinkovich
YAHOO! Applying AJAX to Speed User's Journey
ENERJY WEBCAST Java Code Quality Management
APP SERVER SHOOT-OUT with Microsoft, IBM, JBoss, Sun, BEA, and Oracle
TODAY'S TOP SOA & WEBSERVICES LINKS


News
Global Knowledge: Why Open Source Software Can Help Create a More Secure IT Infrastructure

By: IT Solutions Guide
Jun. 19, 2004 10:00 PM
Digg This!

Purchase a course online and you could receive an Apple iPod Mini or your choice of other free cool stuff, like a Microsoft Xbox or a PalmOne Tungsten E Handheld.

The open source security position challenges the failing status quo. Increasing security issues underline the fact that the proprietary "hide-the-code" approach is not working. The objective of this article is to present the requirement for ubiquitous, affordable security. It forwards the open source security position and presents empirical evidence, comparative methodology analysis, and references user experiences to support this position.

The Proprietary Software Position

In today's pervasive Internet-connected computing environment, security must be ubiquitously available and affordable to provide true universal assurance. Proprietary operating system practices for establishing secure and resilient enterprise systems are built on multi-level, multi-product approaches. This approach is cost prohibitive - and the cost trajectory of security technologies ensures the widening of the gap between the "haves" and "have nots."

Considering the pragmatic position, beyond availability, security must be an organizational priority in development and operations/management. Any organization's failure to remain current compromises not only its own security, but that of its collaboration and trading network. The total cost of ownership for proprietary security management is significant due to the requirement for constant attention. This too is a significant obstacle to ubiquitous, commodity security.

In addition to cost obstacles to universal commodity security, organizations often reject proprietary security investments based on the fact that they are ineffective and inflexible. As a consequence of expense and functional shortcomings, organizations are inclined to under invest. In summary, proprietary approaches limit the path to universal commodity security.

The number-one issue with the security of proprietary operating system software is that users are denied access to the source code. Proprietary vendors apply the logic that hidden is secure. The sensational IT security newspaper headlines of the last five years have underlined the fact that this "dark science" is not effective.

An organization would never move into a facility without an understanding of the placement of the doors and windows. If an organization rented a physical facility and was not informed of a hidden building vulnerability of which the facility provider was aware, and its business was compromised by that vulnerability, this would clearly provide grounds for a lawsuit. This practice of hiding known vulnerabilities is the norm for proprietary providers of operating systems that fulfill mission-critical software infrastructure functions. The reality is that it is impossible for organizations to proactively assess vulnerabilities and develop appropriate responses with proprietary operating systems.

Considering highly sensitive security environments, in cryptography circles the maxim is that the security of an algorithm should not depend on its secrecy. For example, the Clipper chip, RIAA digital watermarks, and ebooks all used cryptography developed in secrecy, through code that was never audited. In each circumstance, the code was successfully cracked. Closed, or proprietary software can be reverse engineered and protocols can be (and have repeatedly been) cracked through analysis. Secrecy or obscurity is not an effective security approach.

There is a fundamental user/vendor conflict that exists in the proprietary operating system security "need-to-know" position. Proprietary vendors frequently hide behind the "user interest and exposing customers to great vulnerability" argument to withhold information on vulnerabilities that are known to the operating system developer. Customers that rely on sole source providers are subject to the vendor's priorities, timelines, and business plans/objectives.

It is apparent that a huge number of organizations run their businesses on proprietary operating systems. The developers of these systems have often failed to assume responsibility in assuring the security of their products. In addition to pushing out flawed products without adequate code review to understand the vulnerabilities that they are handing on to customers, these vendors frequently fail to publicize system vulnerabilities - either at the time of discovery or thereafter. As a result patch penetration is low - systems with known vulnerabilities go unpatched for months, even years. For example, the CERT® CC reports that 60,000 hosts are still compromised by Code Red and are actively scanning 14 months after patches were first made available.

The proprietary vendor approach to significant infrastructure vulnerabilities is the new upgrade. Organizations are asked to install and pay for "fork lift" updates that frequently drive broader changes in their operating environments. As such, organizations are sometimes reluctant to update their systems as the impact may prove disruptive on the broader scale.

The Open Source Position

The fundamental nature of open source development provides a higher degree of responsiveness and faster resolution to security vulnerabilities than proprietary operating system vendors can provide. The combination of open code accessibility and the leverage associated with the large number of developers using and testing the software provide critical differentiators. Collaboration, peer review, and rapid feedback are enabled in global real time through the open source development model. Considered together, these factors accelerate resolution times for critical security vulnerabilities.

The open source community asserts that for operating system security to become truly ubiquitous, it must also be highly accessible through commodity hardware and software. As the TCP/IP protocol, World Wide Web, Apache web server, and Linux operating system have shown, when good technology has a low acquisition cost, it displaces inferior solutions that cost more. When the acquisition costs are low and all interfaces and implementations are published, such technologies can become standards. Standards, in turn, drive both direct and indirect adoption (the network effect). The growth of the Internet, World Wide Web, Apache, and Linux provide dramatic testimony to the power of the network effect and the popularity of the open source distribution model.

The big-picture goal is universal commodity security - enhancing security across all nodes and users, thereby creating a less hostile security context for each machine or user. Open source security is uniquely positioned to lead and sustain a new network effect that the industry so much needs today.

Open source software, by definition, includes any program or application in which the programming code is open and visible. Open source users recognize significant security benefits that flow from the accessibility of the source code. The open source development model is underpinned by the assurance that source code for an open source project will be made generally available.

Open source projects are typically developed on the basis of meritocracy and have a central person or body that approves developed code for "official" releases, making them widely available to the larger open source development community. This basic development methodology is markedly distinct from proprietary software development. Code access provides the ability to analyze and review the source code. In the case of Linux over 125,000 users and developers from around the world have participated in the process. When users team with vendors to become part of the solution, then "black hat" crackers are at a disadvantage. Code access dramatically improves the software development process, which is not possibly achievable by proprietary software vendors. The code accessibility that defines and reinforces the open source development model supports the creation of standards, a more responsive development process, and faster vulnerability disclosures.

Open source pressures developers and vendors to fully disclose vulnerabilities and accurately reveal their impact, allowing customers to analyze the vulnerability and look at the effect that it would have on their systems and the consequences of applying a fix. Open source software is generally provided and supported by a number of competing vendors. Fixing security issues occurs without the impact of business and financial drivers. This forces vendors to accelerate the timetable for fixes and promotes the elimination of vulnerabilities even in the absence of known threats.

The fact that there are so many vulnerabilities posted in many different places makes staying current on security a complex and time consuming undertaking. The open source community asserts that operating system security is the inherent responsibility of vendors. The industry needs to take a proactive stance in assisting users. As Red Hat provides a single source for a number of open source programs, it takes a responsible position by providing a single source for security notifications and updates.

Software vendors need to be accountable for software assurance, innovative in their approaches to software design to enable and respond to security, and support industry standards for reporting and addressing vulnerabilities. Ultimately, security must be able to pay for itself, not only in averting worst-case scenarios, but also in dealing with the many issues of real-world day-to-day operations.

Open source minimizes security management complexities and overhead through preciseness of software changes and back porting of fixes. Back porting ensures that security updates contain only the security fixes and not any additional features or bug fixes that could affect system stability.

Open source vendors provide mechanisms to quickly and easily apply security patches to users' environments through automated alert and update services like Red Hat Network, Ximian Red Carpet and Caldera Volution. Red Hat Network tracks user software installations for over 600,000 subscribers. As Red Hat tracks security vulnerabilities, it applies a relevance filter, and alerts users only of issues relevant to their environment. Red Hat Network empowers organizations to automatically update their IT systems - even without user interaction if preferred.

Performance Analysis: Separating the Wheat from the Chaff

No operating system is immune to security vulnerabilities. According to BUGTRAQ Vulnerability Database Statistics (www.kbeta.com/securitytips/vulnerabilities/), both open source and proprietary operating systems have varying numbers of reported vulnerabilities year to year. The increasing complexity of software development, coupled with the growing deployment of system software within consumer as well as business and public sector markets, has resulted in greater volumes of vulnerabilities reported each year. Numbers of vulnerabilities in a given operating system can correlate to many factors, including:

  • Number of installed images
  • Code accessibility
  • Number of features or embedded applications within an OS
    As such, it is more useful to evaluate vendor responsiveness to security vulnerabilities, rather than comparing net numbers of vulnerabilities for a given operating system.

    Security Portal Study: Bug/Security Fix Response Times

    Security Portal conducted an independent analysis in 2000 to determine comparative open source vs. proprietary operating system bug/security fix response times. The results:
    • Red Hat had the best score, with 348 recess days on 31 advisories, for an average of 11.23 days from bug to patch
    • Microsoft had 982 recess days on 61 advisories, averaging 16.10 days from bug to patch
    • Sun proved itself to be very slow, although having only 8 advisories; it accumulated 716 recess days, a whopping three months to fix each bug on average?.

    (source: Security Portal, 2000. http://old.lwn.net/2000/0120/security.php3).

    Open Source Users - Not Afraid of Worms

    All the worms that have affected Red Hat Linux so far have been written to take advantage of known defects. The table below shows the effectiveness of the open source approach to vulnerability audit. Community developers became aware of the following vulnerabilities (see table below) and issued patches before hackers had the opportunity to write worms to exploit those issues. It is important to note that any system that had been kept up-to-date would not have been affected by any of the Linux worms. For each worm introduced, administrators had a minimum of forty-five days to four months to apply patches. The fact that the worms were able to affect any users at all, shows that it is important for systems to be kept up to date.

    But Does Open Source Really Work in the Real World?

    The findings of an extensive study published by an Avaya Labs Research, Bell Laboratories/Lucent Technologies and eBuilt research team are revealing. Vulnerability considerations were a significant factor in the review that focused on two case studies of the open source software development model: Apache and Mozilla.4 The team concluded that the open source development model offers comparable and often better processes than proprietary development. It noted that the quality of Apache's secure design, as well as, open source review practices were a significant factor in driving its outstanding security track record.

    User Experience: U.S. Department of Defense, Burlington Coat Factory

    "Open source allows us the opportunity to have a proactive and pre-emptive identification of security holes by friendly analysis. As a result, this early identification and rapid repair of security vulnerabilities has become a major advantage of open source over proprietary approaches to software development."
    - Rob Walker, Program Manager, Defense Information Systems Agency

    "The security of open source software hasn't been an issue. It's excellent," said Prince, at Burlington's headquarters in Burlington, NJ. "On the operating system side, although there are loopholes found, the speed with which they're fixed and the commitment to making the problem known and resolved are excellent. The stability rivals the best of the proprietary UNIX systems. The whole security model in Linux is better than in Windows."
    - Mike Prince. CIO, Burlington Coat Factory Warehouse Corp.

    "I am a firm believer in trusting highly deployed open source solutions to be more secure, and more responsive to problems than proprietary solutions. Prior to my arrival, the department and the City of Charlottesville was 100 percent Microsoft. Since then, we began a campaign to increase security, save money an address the needs of management. We chose to standardize on Red Hat as our core open source distribution."
    - John Lewis, Security Systems Engineer, City of Charlottesville, VA

    Summary

    In all scientific fields, only what can be independently reviewed by the academic community can be accepted by the community as verified. Yet in the field of computers, our science is practiced as a "black art". Proprietary vendors hide code, obscure protocols, bury defects, and vehemently deny issues unless questioned under oath. To advance the state of the computer and information security industry, and importantly the user experience, we must both appeal to and submit to science. Our military, our government, our businesses increasingly depend upon computers to survive. In the world of computer security, "publish or perish" is no longer merely pat career advice meant primarily for academics - it is an urgent warning to IT professionals and society about how security software should be trusted. Open source returns the computer security industry to its scientific roots - thereby enabling progress of substance towards universal assurance.

    The principles of open source are simple, yet powerful. They resonate loudly in the security arena. The more people who have access to the source code and can employ their expertise to examine it, the fewer secrets are embedded in the code. As a direct result, code becomes more secure.

    • Published Jun. 19, 2004 — Reads 24,860
    Copyright © 2008 SYS-CON Media. All Rights Reserved.
    About IT Solutions Guide
    IT Solutions Guide (ITSG), aimed at development and corporate managers, is a free quarterly supplement focusing on the most competitive tools, solutions, and services available in the IT and infrastructure technology world today.

    jacksonj04 wrote: Linux Kernel is solid. Sadly, once you put useful applications on it (like the ones that make WXP 40 million lines long) it will fall apart.
    read & respond »
    EightBits wrote: Comparing an OS to a Kernel is all nice and dandy, but maybe we should be comparing an entire Linux-based OS to Windows XP. Remember that Windows XP comes with a media player, wordpad, notepad, and many many other tools. So let's take the full Redhat Enterprise WS distro (since it's a pretty popular commercial distro) and track down all it's bugs and see if that average doesn't change. I don't think we should be comparing OS vs Kernel. It takes a lot more than a kernel to make my Linux machine go. Having said that, I would be very interested in a comparison of the Windows XP kernel to the Linux kernel.
    read & respond »
    pcardno wrote: XP has been released for roughly 3 years. According to the poster, it's roughly 8 times the size of the code these guys analysed, in which they found 985 errors. So to be at the same level, that would allow for around 7880 bugs, or about 8-10 bugs being found per day since its release. Is that the frequency that's implied here? Also I would question though that the "bugs" they found would seem to be pure programming bugs, since they just analysed the source code. The majority of bugs found in systems are usually found by actually using the software and often come about as a result of either unexpected circumstances, unexpected input or compatability issues. Merely reporting the straight programming errors really isn't the same thing.
    read & respond »
    JaJ_D wrote: If 5.7 million lines of code should have "114,000 to 171,000 bugs" that should be that Windows has 800k - 1.2 million bugs!!!
    read & respond »
    vasqzr wrote: >>>>Talk about misleading stats...Apple != Orange<<<< What about if you throw in KDE or GNOME, Mozilla, etc, everything that you'd have to add to really equal the features of Windows XP....
    read & respond »
    The-Bus wrote: Everything is based on estimates. Now, you know and I know that the Linux kernel has less bugs... but this is a tentative (at best, shoddy at worst) way of presenting that idea.
    read & respond »
    kin_korn_karn wrote: Talk about misleading stats...Apple != Orange The Windows XP code base includes all of the extraneous crap that gets bundled with and on top of the kernel. The "Linux" code base just includes the kernel.
    read & respond »
    uthGy wrote: >>>>Yes, but did the researchers say how many bugs were in those 40 million lines of XP code? Maybe there were far FEWER than 985 x 7 (a pro rate comparison), in which case Windows, not the Linux kernel, would come out on top.<<<< How *can* they have seen the XP code, dummy - it's closed source remember!!!
    read & respond »
    Fair? wrote: Yes, but did the researchers say how many bugs were in those 40 million lines of XP code? Maybe there were far FEWER than 985 x 7 (a pro rate comparison), in which case Windows, not the Linux kernel, would come out on top.
    read & respond »
    SUBSCRIBE TO THE WORLD'S MOST POWERFUL NEWSLETTERS
    SUBSCRIBE TO OUR RSS FEEDS & GET YOUR SYS-CON NEWS LIVE!
    Click to Add our RSS Feeds to the Service of Your Choice:
    Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
    myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET News.com Kinja Digest View Additional SYS-CON Feeds
    Publish Your Article! Please send it to editorial(at)sys-con.com!

    Advertise on this site! Contact advertising(at)sys-con.com! 201 802-3021
    SYS-CON FEATURED WHITEPAPERS


    MOST READ THIS WEEK
    Virtualization Conference Keynote Webcast Live on SYS-CON.TV
    By James Hamilton
    Exclusive Q&A with Simon Crosby, CTO of Citrix & Founder of XenSource
    By Jeremy Geelan
    Virtualization is the Future of Enterprise Computing
    By Jeremy Geelan
    3rd International Virtualization Conference & Expo: Themes & Topics
    By Jeremy Geelan
    Red Hat Named "Platinum Sponsor" of Virtualization Conference & Expo
    By James Hamilton
    Virtualization Journal Print Archives: Volume 2 - Issue 5, September 14, 2005
    By Jack Norris
    3rd International Virtualization Conference & Expo in NYC to Present a World Class Faculty
    By Virtualization News Desk
    5th International Virtualization Conference & Expo in London Will Be the Most Significant Virtualization Event to Date
    By Virtualization News Desk
    V is for Venture...and for Virtualization
    By Jeremy Geelan
    Dell Steals Virtualization March on HP & IBM
    By Maureen O'Gara
    Virtualization for Deeply Embedded Applications
    By Frank Altschuler
    Egenera Founder Vern Brownell to Present at SYS-CON's Virtualization Conference
    By Virtualization News Desk
    ADS BY GOOGLE