The security benefits and risks of Open Source code is one of the most debated topics in information security today. The views of proponents of the Open Source model are typified by Eric Raymond's argument that Open Source software is intrinsically more secure since its open nature lets a greater number of programmers view the source code and uncover potential security threats before they're released to the wild.
Fewer people see closed source software, on the other hand, and so the odds of uncovering a potential security threat before a system cracker finds it is diminished. Opponents of this model argue that the source code availability of Open Source software lets crackers search the code for potential exploits and provides them a useful way to design attacks. They argue that this makes closed source software intrinsically more secure by way of the principle of security through obscurity.
Part of the reason that no clear consensus will be reached on this issue any time soon is that both arguments have elements of truth to them. Knowledge is always a double-edged sword in that it can be applied for either good or evil purposes. In this case, the pro-Open Source argument that accessible source code uncovers vulnerabilities and produces fixes is good, while the pro-closed source argument of crackers being able to use the code for hacking is bad. As with most issues in the world, this duality of good and evil applications means the answer won't be found in arguments at either extreme. Rather the answer lies in weighing the risks and benefits offered by both sides, and as it turns out, this set of arguments isn't unique to computer security.
A similar debate has been going on for some time in biology and its intensity has escalated with the realization that there could be a bioterrorist attack. The controversy lies in scientists publishing, in publicly accessible repositories like Genbank, the DNA sequences of organisms that are known pathogens and dangerous to humans and other animal species. Using molecular biological methods these sequences can, in theory, be used to reconstruct the pathogen and potentially aid in the engineering a more virulent form of the organism. This controversy hit the news with the October 2005 publication of the 1918 influenza virus genome. The 1918 flu virus is estimated to have caused the death of 50 million people. In essence the computer security debate and the debate over the potential misuse of biological data are one in the same. DNA can basically be thought of as an information storage medium whose sequence contains all of the instruction sets necessary for an organism to develop and survive. In essence, DNA sequences are really the code of life, and the issue is whether or not such code should be open sourced.
What should interest the Open Source community is that, while dissenting opinions exist, scientists have generally decided that disseminating information is better than not. Knowledge is a valuable resource because it can generate even more knowledge, which means it can further our ability to cure diseases such as the flu or it can enhance our ability to secure computer applications. For example, scientists are trying to unlock the functional mechanisms that made the 1918 flu so virulent in hopes of developing treatments for the modern bird flu. A big part of this kind of research lies in comparing the virulent 1918 strain against more benign strains trying to pinpoint what's different.
The same principle could apply to computer security, if programmers consider the knowledge contained in the differences between pre- and post-versions of security vulnerability fixed code. Each of these can, in effect, become a case study for other programmers on how to or how not to program something to avoid a given type of vulnerability. Having this code open sourced could form a tremendous security knowledge base on which future programming choices could be made and, in the end, result in the enhanced security of computer operating systems and applications. To facilitate such learning it's imperative that developers thoroughly document their changes and rationale for making those particular changes. In contrast, in a closed source system, when the group that maintains the code fixes a certain kind of security vulnerability, that group may learn how to eliminate that type of problem, but other groups won't benefit from their experience. It's this principle that I think in the end makes Open Source more valuable from a security perspective. The true security benefit of Open Source isn't in a securer today, but in its ability to empower a more secure tomorrow.
© 2008 SYS-CON Media Inc.