|
...of such FOSS systems was initially limited to academia, research laboratories, and technical user groups. Today, however, FOSS systems are being developed and designed for mass consumption. Most of the businesses on the Internet use FOSS-developed systems, and retail stores such as Wal-Mart are offering to the general public steeply discounted computers that take advantage of FOSS-developed software. As the group of people and organizations that depends on FOSS technologies continues to grow, it becomes increasingly important that FOSS systems be secure and reliable.
Many FOSS systems were originally developed by a loose collaboration of volunteer programmers. The completed systems were then released to the public, and anyone could acquire and use these systems without paying a licensing fee. Free support for these systems was also provided by the volunteer community in the form of mailing lists and Web sites. Currently, however, many FOSS projects are professional efforts in which development is performed by a team of paid programmers, and the system is supported either without charge or through fees and subscriptions. In contrast, traditional proprietary systems are developed by a team of designers, project managers, programmers, technical writers, and quality assurance engineers. The systems they produce undergo design reviews, development progress reports, and formal quality assurance testing. Once completed, these systems are packaged commodities that are sold or licensed to the public for a fee. Support for the software product is usually provided by the developer of the system.
Which model is more reliable in terms of availability and security? Many papers discussing these issues have been published by proponents of each type of software. This paper examines the arguments presented in these published reports as well as the deployment and reliability figures for both open and proprietary systems.
SECURITY AND RELIABILITY CONSIDERATIONS FOR FOSS AND PROPRIETARY SYSTEMS
The security and reliability of FOSS-based systems are currently topics of an often heated debate. Proprietary vendors are funding, producing, and publishing reports supporting the position that closed-source proprietary systems offer superior security relative to their FOSS counterparts. For every report that is published claiming the superior security of proprietary systems, the FOSS community responds with a report refuting these claims.
Perhaps a significant reason for this heated debate is the fact that widespread adoption of the FOSS model would directly threaten the revenue stream of vendors of proprietary software. In several recent 10-Q quarterly filings with the Securities and Exchange Commission, Microsoft, one of the world's largest software publishers, has stated that the popularization and adoption of FOSS systems pose a significant challenge to its business model. (1) It is not surprising then that proprietary software vendors are on the offensive, attempting to discredit FOSS-developed systems.
Arguments about the relative security and reliability of FOSS and proprietary software typically focus on two key issues: availability of source code and software defect levels. We discuss these issues in the following sections.
Availability of source code
In June 2002, the white paper "Opening the Open Source Debate" (2) was released by the Alexis de Tocqueville Institution, an organization funded in part by Microsoft. Among its most controversial findings was that "Open source GPL [General Public License] use by government agencies could easily become a national security concern. Government use of software in the public domain is exceptionally risky." The basis for this assertion is the assumption that publicly available source code invites "hackers" (3) to examine the code in order first to search for exploitable vulnerabilities and then to develop and deploy Trojan horses and other types of malicious software. Therefore, the study concludes that the availability of source code is a significant security threat to government organizations using FOSS.
There are several problems with this assertion. It is inferred that closed-source proprietary systems are automatically more secure than their FOSS counterparts, a "security through obscurity" approach. If this assertion were true, then the number and rate of published vulnerability reports for closed-source systems should be significantly lower than those of their FOSS equivalents.
However, the available data does not support this assertion. In fact, many FOSS systems have substantially lower rates of published vulnerabilities than their closed-source counterparts. For example, a recent report (4) showed that Apache **, a
FOSS Web server whose history and development (5) will be discussed in more detail later in this paper, suffered from substantially fewer published vulnerabilities than Microsoft's IIS (Internet Information Serrer) and marginally more vulnerabilities than Netscape ** Enterprise Server. If the de Tocqueville Institution's assertion were true, then Apache should have had significantly more published vulnerabilities than the closed-source Web servers.
Hiding the source code for a system does not provide any additional security. People searching for vulnerabilities do not require source code to discover software defects. For example, a common way to locate a software defect is to send a program unexpected and unusual data and then monitor how the system responds. (6) If the system fails or behaves erratically as a result of the input, this might indicate a flaw in the system that would warrant further investigation.
With the prevalence of sophisticated software monitoring, debugging, and disassembly tools, much of the source code can be derived from the binary version of the executable program. Anyone interested in obtaining the source code would simply have to apply one of many widely available tools to the program. The output from these programs, while not perfect,...
NOTE: All illustrations and photos
have been removed from this article.
More articles from IBM Systems Journal
Aspect-oriented programming with AspectJ., June 01, 2005
The Eclipse 3.0 platform: adopting OSGi technology.(Open Services Gate..., June 01, 2005
Integrating Web technologies in Eclipse., June 01, 2005
Contributions to the GNU Compiler Collection.(Gnu's Not UNIX), June 01, 2005
Looking for additional articles?
Search our database of over 3 million articles.
Looking for more in-depth information on this industry?
Search our complete database of Industry & Market reports by text, subject, publication
name or publication date.
About Goliath
Whether you're looking for sales prospects, competitive information, company
analysis or best practices in managing your organization,
Goliath can help you meet your business needs.
Our extensive business information databases empower business
professionals with both the breadth and depth of credible,
authoritative information they need to support their business
goals. Whether it be strategic planning, sales prospecting,
company research or defining management best practices -
Goliath is your leading source for accurate information.
|
