Open source does not mean open doors

The open source approach to software — “contrary to expectation and tradition” — provides some measure of insurance against security vulnerabilities, says advocate and developer Peter Harrison.

He cited the example of the Interbase database management product, originally developed by Ashton-Tate, which was taken over by Borland. As part of plans to spin Interbase support off into a separate services company in 2000, the product’s source code was opened.

A vulnerability was almost immediately found, and proved to have been introduced with version 4 of the product, in 1995. This suggests the fault was present for five years in the closed source product, but once the code was opened it was found and fixed within six months.

Security is about evolving solutions, says Harrison, of Nothing But Net and the NZ Open Source Society, and evolution is the essence of open source software, with its user feedback and rapid development and fix cycles.

Responding to the frequent allegation that Microsoft software only appears to be more vulnerable because there are more users to find vulnerabilties, Harrison, speaking at the recent IT Security 2003 conference in Wellington, cited the Apache web server.

Despite its holding over 60% market share and “there have been no widespread Apache viruses”, in striking contrast to the many reported vulnerabilties in Microsoft’s IIS, he says.

Harrison adds, however, that there is no silver bullet for any system. “Regardless of what software you use, you have to keep up with the patches.”