In a recent conversation, I asked a company spokesperson if open source could ever be secure as so many people are able to change the code.
This led me to ask those companies both involved in open source development and the wider industry, is there such a thing as secure open source? Mike Janke, CEO of Silent Circle said that the most important tool is to have your stuff reviewed around the world.
He said: “I want open source to know how many vulnerabilities there are and if the provider is fixing it or not, but not a lot of people know that. Bruce Schneier says “do the math” and Phil Zimmerman says you need to see the value in it, companies will sell you anything but will always tell you what it is good for.”
I caught up with Uri Rivner, formerly of RSA and now vice president of business development and cyber strategy at BioCatch. He said that we are all stronger as a result of reviewed code and that open source “actually helps security”.
“There is a big difference between seeing code and exploiting it, and the truly talented hackers, security researchers and experts don’t work for Governments – those are the real “A” talent people who end up testing and evaluating our open source code,” he said.
“The army of the world’s best talent from all countries goes through open source code. It may take a while, but over time the product becomes more secure through the mechanism of ‘group hive review’ This is why the NSA chose to exploit hardware and providers instead of truly sound open source encryption. That means that the mobile platform is the weak link.”8/
Technologies exist that are open source and widely used; an obvious example is Google’s Android. Rivner said that the basic version of Android is widely considered the least secure among mobile operating systems, while state-sponsored attackers already have access to any important source code imaginable, so if you’re worried about states attacking you, there isn’t much of a difference between relying on open source and closed source.
According to an Oracle whitepaper, an “open source license permits anybody in the community to study, change and distribute the software for free and for any purpose”. However it was less than complimentary about its strength against commercial products, saying: “Government sponsored community development approaches to software creation lack the financial incentives of commercial companies to produce low defect, well documented code and are not subject to the same market pressure at the software code level.”
So open source is developed by a community for the community, and there may not be the support and review that a paid-for product has, but it is seen as doing something for the community. Oracle said that “just about every commercial software vendor leverages open source software”.
One of these is Snort, developed by Sourcefire. Jason Brvenik, formerly vice president of security strategy at Sourcefire, now principal engineer of the security business group at parent Cisco.
He said that security is not dependant on whether it is closed or open source, but it is about design, review and trust. “An environment of many hands has early issues, but Snort would have been impossible to create if it was just us, but if it is created in the open, then an attacker will evade it,” he said.
“With Snort, companies would say that they trust it
as they can review it on their own and look at peer review and maths and it only serves to improve the quality of what they are talking about and if you review yourself, you help yourself and the solution as a whole. The more eyes the better, as with technology like this the more eyes there are the more likely you are to spot something. Nothing is perfect and there are vulnerabilities in systems and the time to deliver is faster than anything before and we see bugs in ten year old technology within the kernel.”
Brvenik said that when you develop a new product, an option is to open source the feature sets to evolve them, and get feedback from users that you would not get in a closed environment.
So is open source more secure? As Oracle said, at first glance it might seem that organisations can avoid buying commercial software products simply by starting with open source software and developing their own applications, but the total cost of ownership for open source software often exceeds that of commercial software.
The question I would ask is whether you would want to use open source software; I do see that it is the coming together of the industry and minds to drive development of a great product, but who continues that development and support? Does it become a great paid-for product or is it relying on that community to keep supporting it.
Open source is a great thing for the industry to do, but it is important that things are done properly for all our security.